Source: http://154.216.19.160/txt/u7vqmxbxIbxVBXn.exe |
Virustotal: Detection: 15% |
Perma Link |
Source: na.rtf |
ReversingLabs: Detection: 50% |
Source: na.rtf |
Virustotal: Detection: 46% |
Perma Link |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Network connect: IP: unknown Port: 80 |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: unknown |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.216.19.160:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.216.19.160:80 |
Source: global traffic |
TCP traffic: 154.216.19.160:80 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.216.19.160:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.216.19.160:80 |
Source: global traffic |
TCP traffic: 154.216.19.160:80 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 154.216.19.160:80 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.216.19.160:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.216.19.160:80 |
Source: global traffic |
TCP traffic: 154.216.19.160:80 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 154.216.19.160:80 -> 192.168.2.22:49161 |
Source: Joe Sandbox View |
ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo |
Source: global traffic |
HTTP traffic detected: GET /txt/u7vqmxbxIbxVBXn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 154.216.19.160Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.19.160 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.19.160 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.19.160 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.19.160 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.19.160 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{57948CBB-9A61-4128-B12D-A4B9500276A8}.tmp |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /txt/u7vqmxbxIbxVBXn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 154.216.19.160Connection: Keep-Alive |
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.355204837.00000000005CF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://154.216.19.160/txt/u7vqmxbxIbxVBXn.exe |
Source: EQNEDT32.EXE, 00000002.00000002.355204837.00000000005CF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://154.216.19.160/txt/u7vqmxbxIbxVBXn.exedv |
Source: EQNEDT32.EXE, 00000002.00000002.355204837.00000000005CF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://154.216.19.160/txt/u7vqmxbxIbxVBXn.exej |
Source: initial sample |
Static file information: Filename: na.rtf |
Source: na.rtf, type: SAMPLE |
Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: na.rtf, type: SAMPLE |
Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. |
Source: classification engine |
Classification label: mal100.expl.winRTF@4/9@0/1 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File created: C:\Users\user\Desktop\~$na.rtf |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVR7905.tmp |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: na.rtf |
ReversingLabs: Detection: 50% |
Source: na.rtf |
Virustotal: Detection: 46% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: na.LNK.0.dr |
LNK file: ..\..\..\..\..\Desktop\na.rtf |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005D8F59 push eax; retf |
2_2_005D8F61 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E8B56 push esi; ret |
2_2_005E8B5F |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E8B6C push esi; ret |
2_2_005E8B6F |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E8B64 push esi; ret |
2_2_005E8B67 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E8960 push edx; ret |
2_2_005E897B |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E482E push edi; ret |
2_2_005E482F |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E4826 push edi; ret |
2_2_005E4827 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E87E0 push edi; ret |
2_2_005E87E7 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E8988 push edx; ret |
2_2_005E898B |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E8980 push edx; ret |
2_2_005E8983 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_005E4AA7 push ebp; ret |
2_2_005E4AAB |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3696 |
Thread sleep time: -180000s >= -30000s |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3940 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |