Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:485344
Start time:11:45:38
Joe Sandbox Product:Cloud
Start date:20.01.2018
Overall analysis duration:0h 13m 22s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:turla.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal100.evad.spre.spyw.troj.winEXE@68/23@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 24
  • Number of non-executed functions: 0
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiPrvSE.exe, conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: turla.exe


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: AcroRd32.exeString found in binary or memory: file:///
Source: turla.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Scr.js0
Source: turla.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Scr.jsD
Source: turla.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Scr.jsV
Source: turla.exeString found in binary or memory: file:///C:/Users/user/Desktop/
Source: turla.exeString found in binary or memory: file:///C:/Users/user/Desktop/turla.exev1.0
Source: turla.exeString found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/
Source: wscript.exeString found in binary or memory: file:///C:/Windows/System32/cmd.exe
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/07
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0Error
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0Vector.
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0file://AcrobatMedia009424/c/0file://AcrobatMedia009424/c/0
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0spark.components::Applicationspark.components.ApplicationError
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0xi
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/d/0
Source: AcroRd32.exeString found in binary or memory: http://
Source: AcroRd32.exeString found in binary or memory: http://$(
Source: AcroRd32.exeString found in binary or memory: http://.acrocomcontent.com
Source: AcroRd32.exeString found in binary or memory: http://E
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/ul
Source: AcroRd32.exeString found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: AcroRd32.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AcroRd32.exeString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: AcroRd32.exeString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: AcroRd32.exeString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/PK
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/)K
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/.K
Source: AcroRd32.exeString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exeString found in binary or memory: http://ocsp.geotrust.com0K
Source: AcroRd32.exeString found in binary or memory: http://ocsp.thawte.com0
Source: AcroRd32.exeString found in binary or memory: http://recentfiles
Source: AcroRd32.exe, UserCache.bin.4.drString found in binary or memory: http://recentfiles.
Source: AcroRd32.exe, UserCache.bin.4.drString found in binary or memory: http://recentfiles.com.adobe.acrobat.extensions.files_description
Source: wscript.exeString found in binary or memory: http://schemas.m
Source: wscript.exeString found in binary or memory: http://treso
Source: wscript.exeString found in binary or memory: http://tresor-rare.com.hk/wp-content/plugins/wordpress-seo/v=
Source: AcroRd32.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AcroRd32.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AcroRd32.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AcroRd32.exeString found in binary or memory: http://w
Source: AcroRd32.exeString found in binary or memory: http://ww
Source: AcroRd32.exeString found in binary or memory: http://ww4
Source: AcroRd32.exeString found in binary or memory: http://www
Source: AcroRd32.exeString found in binary or memory: http://www.ad
Source: AcroRd32.exeString found in binary or memory: http://www.adob
Source: AcroRd32.exeString found in binary or memory: http://www.adobl-
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#5K
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.dictionary.com/cgi-bin/dict.pl?term=$o8
Source: AcroRd32.exeString found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: wscript.exeString found in binary or memory: http://www.huluwa.uk/wp-content/plugin
Source: wscript.exeString found in binary or memory: http://www.huluwa.uk/wp-content/plugins/woocommerce/includes/class-wc-log.php
Source: AcroRd32.exeString found in binary or memory: http://www.macromedia.com
Source: AcroRd32.exeString found in binary or memory: http://www.macromedia.comfile://AcrobatMedia009424/c/0file://AcrobatMedia009424
Source: AcroRd32.exeString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: AcroRd32.exeString found in binary or memory: http://www.symauth.com/cps09
Source: AcroRd32.exeString found in binary or memory: http://www.symauth.com/rpa04
Source: AcroRd32.exeString found in binary or memory: http://www.w3
Source: AcroRd32.exeString found in binary or memory: http://www.w3z
Source: AcroRd32.exeString found in binary or memory: http://wwwf
Source: AcroRd32.exeString found in binary or memory: http://wwwi8
Source: AcroRd32.exeString found in binary or memory: https://
Source: AcroRd32.exeString found in binary or memory: https://.acrocomcontent.com
Source: AcroRd32.exeString found in binary or memory: https://QA
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.ADotCom/Resource/
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.ADotCom/Resource/api
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.RFLMAP/Resource/
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.RFLMAP/Resource/)
Source: AcroRd32.exeString found in binary or memory: https://idisk.mac.com/
Source: AcroRd32.exeString found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, ReaderMessages-journal.4.drString found in binary or memory: https://www.acro
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/broadcastMessage
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/xehttps://www.macromedia.com/support/flashplayer/
Uses netstat to query active network connections and open portsShow sources
Source: unknownProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao

Stealing of Sensitive Information:

barindex
Gathers information about group policies (GPO)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Gathers information about network sharesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Gathers network related connection and port informationShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Gathers system information via systeminfoShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Detected KopiLuwak backdoor (related to Turla APT)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settingsShow sources
Source: unknownProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.85051717396

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Performs a network lookup / discovery via ARPShow sources
Source: unknownProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Performs a network lookup / discovery via net viewShow sources
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\net.exe net view /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /domain

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
PE file contains a COM descriptor data directoryShow sources
Source: turla.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\turla.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: turla.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: turla.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdb source: wscript.exe
Source: Binary string: c:\LocalDisc_D\MyProjects\Runer\Runer\obj\Release\Runer.pdb source: turla.exe
Source: Binary string: wscript.pdbN source: wscript.exe
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: ~~.tmp.7.drBinary string: Host Name: computerOS Name: Microsoft Windows 7 Professional OS Version: 6.1.7601 Service Pack 1 Build 7601OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Build Type: Multiprocessor FreeRegistered Owner: adminRegistered Organization: Product ID: 00371-OEM-9309885-30338Original Install Date: 1/1/1601, 12:00:00 AMSystem Boot Time: 1/20/2018, 11:43:54 AMSystem Manufacturer: wrnyzkm GmbHSystem Model: tudzbdapnkSystem Type: X86-based PCProcessor(s): 1 Processor(s) Installed. [01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 MhzBIOS Version: wrnyzkm GmbH tudzbdapnk, 12/1/2006Windows Directory: C:\WindowsSystem Directory: C:\Windows\system32Boot Device: \Device\HarddiskVolume1System Locale: en
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.spyw.troj.winEXE@68/23@0/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\turla.exeFile created: C:\Users\user\AppData\Roaming\Scr.js
Creates temporary filesShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP25AA.tmp
Found command line outputShow sources
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|up.............|u..0.............t...~...............(.................>w......@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .I.n.f.o.r.m.a.t.i.o.n. .......\...P.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u..............|u..0.............\...................|...........P.....>wP.....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .C.o.m.p.u.t.e.r. .I.n.f.o.r.m.a.t.i.o.n. ...........P.....>wP.......@.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u(.............|u..0.............\...k.................................>w......@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .P.r.o.c.e.s.s.o.r. .I.n.f.o.r.m.a.t.i.o.n. ...............>w........B.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u..............|u..0.............\...F............................#....>w.#....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .B.I.O.S. .I.n.f.o.r.m.a.t.i.o.n. ....................#....>w.#......8.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u<.............|u..0.............\...a...........................H.....>wH.....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .I.n.p.u.t. .L.o.c.a.l.e. .I.n.f.o.r.m.a.t.i.o.n. .........>wH...(...H.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u<.............|u..0.............\...<.................................:w..{...@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .T.i.m.e.Z.o.n.e. .I.n.f.o.r.m.a.t.i.o.n. .................:w..{.(...@.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|uP.............|u..0.............\...W.................................:w..{...@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .P.r.o.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ...................:w..{.<...>.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u8.............|u..0.............@...............................@.....>w@.....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .P.a.g.e.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ...........@.....>w@...$...@.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u,.............|u..0.............@................................"....>w."....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .H.o.t.f.i.x. .I.n.f.o.r.m.a.t.i.o.n. ................"....>w."......<.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u..............|u..0.............@...............................P.....>wP.....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .N.e.t.w.o.r.k. .C.a.r.d. .I.n.f.o.r.m.a.t.i.o.n. .........>wP.......H.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u|.............|u..0.................n...............D.w...........6. .........@.................
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(...........S...........................Px/...>wPx/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .u.s.e.r. .d.a.t.a. .........................Px/...>wPx/.(...2.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........[...............x...........HQ/...>wHQ/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........C.o.n.n.e.c.t.i.n.g. .t.o. .t.h.e. .R.S.O.P. .n.a.m.e.s.p.a.c.e. .........>wHQ/.....H.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........o...............x............x/...>w.x/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .R.S.O.P. .m.e.t.h.o.d. .........x............x/...>w.x/.....6.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........w...............x.............-...>w..-...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .S.I.D. .i.n.f.o.r.m.a.t.i.o.n. ...............-...>w..-.....>.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(.......0...C...............x............x/...>w.x/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .u.s.e.r. .n.a.m.e. .............x............x/...>w.x/.....2.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(.......0..._...........................H....Q..0.....#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(.......0...e...............x.................>w......#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .l.o.c.a.l. .p.r.o.f.i.l.e. .f.o.r. ...............>w........B.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(.......0...................x.................>w......#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .c.o.m.m.o.n. .i.n.f.o.r.m.a.t.i.o.n. .............>w........D.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|ut.............|u..0.....(.......0...................,...........0.-...>w0.-...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .O.S. .i.n.f.o.r.m.a.t.i.o.n. ...............0.-...>w0.-.`...<.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........{.................................:w..{...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........R.e.t.r.i.e.v.i.n.g. .R.S.O.P. .d.a.t.a. .................................:w..{.....0.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.......................................P.-...>wP.-...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .R.S.O.P. .p.r.o.v.i.d.e.r. .................P.-...>wP.-.(...:.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(........................................y/...>w.y/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .R.S.O.P. .m.e.t.h.o.d. ......................y/...>w.y/.(...6.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.............................................:w..{...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........P.u.t.t.i.n.g. .t.h.e. .S.I.D. ...........................................:w..{.(...&.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.............................{.........PY>w..........#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.............................{.........PY>w..........#.......#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.......................................C..........~..#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.......................................C..........~..#.j.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u@.............|u..0.....(...........3&.................v........c......v 2/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(............B................................:w..{...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .u.s.e.r. .n.a.m.e. ...............................:w..{.....2.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........9B........................................#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........?B................................:w..{...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........JB........................................#..............W..
PE file has an executable .text section and no other executable sectionShow sources
Source: turla.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\turla.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Source: C:\Users\user\Desktop\turla.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Source: C:\Users\user\Desktop\turla.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
Reads ini filesShow sources
Source: C:\Users\user\Desktop\turla.exeFile read: C:\Users\user\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\turla.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\turla.exe 'C:\Users\user\Desktop\turla.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3412.0.1190326145 --type=renderer 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {1CB75A7D-1803-47C7-91DA-EA5266AAF4C1} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\net.exe net view /domain
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist /v
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\net.exe net share
Source: unknownProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3412.0.1190326145 --type=renderer 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Source: C:\Windows\System32\taskeng.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net share
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\turla.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Uses systeminfo.exe to query system informationShow sources
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Uses tasklist.exe to query information about running processesShow sources
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist /v
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: turla.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functionsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712A10 NtOpenKey,4_2_00712A10
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_007129D0 NtCreateKey,4_2_007129D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712AD0 NtCreateMutant,4_2_00712AD0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712B90 NtDeleteValueKey,4_2_00712B90
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712B10 NtCreateSection,4_2_00712B10
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712E90 NtMapViewOfSection,4_2_00712E90
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712850 NtOpenFile,4_2_00712850
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712890 NtQueryAttributesFile,4_2_00712890
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712B50 NtOpenSection,4_2_00712B50
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712A50 NtOpenKeyEx,4_2_00712A50
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712800 NtCreateFile,4_2_00712800
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712910 NtSetInformationFile,4_2_00712910
Creates mutexesShow sources
Source: C:\Windows\System32\gpresult.exeMutant created: \Sessions\1\BaseNamedObjects\Global\RsopCreateSessionMutex_computer_user
Source: C:\Users\user\Desktop\turla.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Sample file is different than original file name gathered from version infoShow sources
Source: turla.exeBinary or memory string: OriginalFilenameRuner.exe, vs turla.exe
Source: turla.exeBinary or memory string: OriginalFilenamemscorwks.dllT vs turla.exe
Source: turla.exeBinary or memory string: System.OriginalFileName vs turla.exe
Source: turla.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs turla.exe
Source: turla.exeBinary or memory string: originalfilename vs turla.exe
Source: turla.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs turla.exe
Source: turla.exeBinary or memory string: OriginalFilenameRuner.exe, vs turla.exe
.NET source code contains very large array initializationsShow sources
Source: turla.exe, Program.csLarge array initialization: Main: array initializer size 22458
Source: turla.exe, Program.csLarge array initialization: Main: array initializer size 369804
Suspicious javascript / visual basic script found (invalid extension)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: AcroRd32.exe, taskeng.exeBinary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, taskeng.exeBinary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, taskeng.exeBinary or memory string: Progman
Source: AcroRd32.exe, taskeng.exeBinary or memory string: Program Manager
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Source: C:\Windows\System32\taskeng.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net share
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\turla.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation
Enables debug privilegesShow sources
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\NETSTAT.EXEProcess token adjusted: Debug
Source: C:\Windows\System32\NETSTAT.EXEProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Windows\System32\tasklist.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\turla.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\turla.exe TID: 3368Thread sleep time: -922337203685477s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3484Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\systeminfo.exe TID: 3604Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\systeminfo.exe TID: 3604Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3952Thread sleep time: -180000s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3952Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 4076Thread sleep time: -180000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 4076Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\gpresult.exe TID: 2216Thread sleep count: 34 > 30
Source: C:\Windows\System32\gpresult.exe TID: 2216Thread sleep time: -2040000s >= -60000s
Source: C:\Windows\System32\ipconfig.exe TID: 2512Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\ipconfig.exe TID: 2512Thread sleep time: -60000s >= -60000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_ComputerSystem
Source: C:\Windows\System32\gpresult.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_ComputerSystem
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapter

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the internet feature controls of the internet explorerShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\turla.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Users\user\Desktop\turla.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Users\user\Desktop\turla.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Users\user\Desktop\turla.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485344 Sample: turla.exe Startdate: 20/01/2018 Architecture: WINDOWS Score: 100 55 Detected KopiLuwak backdoor (related to Turla APT) 2->55 57 .NET source code contains very large array initializations 2->57 59 Uses netstat to query active network connections and open ports 2->59 61 8 other signatures 2->61 9 turla.exe 5 2->9         started        13 taskeng.exe 2->13         started        process3 file4 53 C:\Users\user\AppData\Roaming\Scr.js, ASCII 9->53 dropped 69 Suspicious javascript / visual basic script found (invalid extension) 9->69 15 wscript.exe 2 9->15         started        18 AcroRd32.exe 6 49 9->18         started        20 wscript.exe 13->20         started        signatures5 process6 signatures7 79 Detected KopiLuwak backdoor (related to Turla APT) 15->79 81 Gathers information about group policies (GPO) 15->81 83 Gathers network related connection and port information 15->83 85 2 other signatures 15->85 22 cmd.exe 1 15->22         started        24 cmd.exe 15->24         started        27 cmd.exe 15->27         started        31 7 other processes 15->31 29 AcroRd32.exe 1 90 18->29         started        process8 signatures9 33 systeminfo.exe 22->33         started        71 Gathers information about group policies (GPO) 24->71 36 gpresult.exe 24->36         started        73 Performs a network lookup / discovery via net view 27->73 38 net.exe 27->38         started        75 Gathers network related connection and port information 31->75 77 Performs a network lookup / discovery via ARP 31->77 40 net.exe 31->40         started        42 net.exe 31->42         started        44 tasklist.exe 31->44         started        46 3 other processes 31->46 process10 signatures11 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->63 65 Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) 33->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->67 48 net1.exe 40->48         started        process12 file13 51 C:\Users\user\AppData\Roaming\...\~~.tmp, ASCII 48->51 dropped

Simulations

Behavior and APIs

TimeTypeDescription
11:47:15API Interceptor5x Sleep call for process: wscript.exe modified from: 60000ms to: 5000ms
11:47:17Task SchedulerRun new task: PolicyConverter path: appidpolicyconverter.js s>FileTypeXML gwVAj83JsiqTz5fG
11:54:01API Interceptor10x Sleep call for process: systeminfo.exe modified from: 60000ms to: 5000ms
11:54:01API Interceptor2x Sleep call for process: taskeng.exe modified from: 60000ms to: 5000ms
11:54:03API Interceptor951x Sleep call for process: AcroRd32.exe modified from: 60000ms to: 5000ms
11:54:15API Interceptor4x Sleep call for process: tasklist.exe modified from: 60000ms to: 5000ms
11:54:18API Interceptor34x Sleep call for process: gpresult.exe modified from: 60000ms to: 5000ms
11:54:26API Interceptor3x Sleep call for process: ipconfig.exe modified from: 60000ms to: 5000ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot