Malware Analysis Report (AR20-133I)

MIFR-00435108-1.v2

 

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.

None

This report contains preliminary analysis and is not intended to be a complete description of the submitted artifacts' capabilities. Results may be incomplete due to the artifacts' complexity or ability to defend against analysis techniques. If additional information is required, please contact the CISA Security Operations Center using the information at the end of this report.

Analysis Environment: 32_bit, windows_7

For a downloadable copy of IOCs, see MIFR-00435108-1.v2.stix.

Submitted Files (22)

1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce (MSComctlLib.exd)

2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 (MSComctlLib.exd)

285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81 (error008480_01.xml)

4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a (Electronic Tickets.xlsx)

4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c (Health Register Form.xlsx)

632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 (UPDATED DLT as of 31 OCTOBER 2...)

7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 (Meeting Schedule (8 ~ 19 Dec 2...)

96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 (Economic Action Plan 2015 and ...)

a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 (~xls.xlsx)

a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a (Health Register Form.xlsx)

a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a (FireFox.url)

a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29 (MSComctlLib.exd)

ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9 (MSComctlLib.exd)

b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b (Outlook.exe)

b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c (MSComctlLib.exd)

ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb (error012760_01.xml)

cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9 (error026800_01.xml)

d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb (Briefing Notes.xlsx)

dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060 (MSComctlLib.exd)

e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 (A7A1FD8E.emf)

ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 (Tel list for HBS.xlsx)

f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 (SqlServer.exe)

Domains (1)

sharedisplay.crabdance.com

Findings

d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb

Tags

CVE-2012-0158trojan

Details
Name Briefing Notes.xlsx
Name Briefing-Notes.xlsx
Size 40047 bytes
Type Zip archive data, at least v1.0 to extract
MD5 5a2bd115d0ccb413bc9c33da3db431a6
SHA1 72693b2257ad05594255ce42b1b8f78cef05654f
SHA256 d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
SHA512 638966ce407cf903462be4abf6bf8fcbde84678b1b5ab2a1fb096ef5ebc0156ed9ae5ad33fa95fd04f068006ef31c8b4e8e0ce145eed8e7401a64ffa02989121
ssdeep 768:pUCyOM3zmt0dcUEpuPzvIokQ4O69ny+0aBdDeBvFs0rKJyah:p3MZd/4uPzuOnzmDexm0r9K
Entropy 7.902461
Antivirus
McAfee Exploit-Shellcode.b
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
TrendMicro TROJ_CV.BC8636A1
TrendMicro House Call TROJ_CV.BC8636A1
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
d98266f962... Dropped d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
d98266f962... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
d98266f962... Dropped f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2
d98266f962... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
d98266f962... Dropped ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9
d98266f962... Dropped a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
d98266f962... Dropped 285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81
Description

Process Tree:
- EXCEL.EXE 364 (2468)
- - cmd.exe 1308 (364)
- - - SqlServer.exe 2228 (1308)
- - cmd.exe 2340 (364)
- - - EXCEL.EXE 848 (2340)

EXCEL.EXE (848) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRDB62.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\AppData\Local\Temp\~xls.xlsx
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$~xls.xlsx
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL
NtCreateFile, C:\Windows\system32\imageres.dll
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE535.tmp
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\AppData\Local\Temp\error008480_01.xml
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini

EXCEL.EXE (364) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB353.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Briefing-Notes.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Briefing-Notes.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7A1FD8E.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFD6EA0462A523DB58.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\~xls.xlsx

cmd.exe (2340) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\cmd.exe
NtCreateFile, C:\Windows\INF\setupapi.app.log
NtCreateFile, C:\Windows\AppPatch\pcamain.sdb

SqlServer.exe (2228) API behavior:
NtCreateFile, C:\ProgramData\Media Player
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, C:\ProgramData\Media Player\wmplayer.exe
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url
NtCreateFile, C:\Windows\system32\tzres.dll

File activity:
write, C:\Users\user\AppData\Local\Temp\~$Briefing-Notes.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7A1FD8E.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
write, C:\Users\user\AppData\Local\Temp\SqlServer.exe
execute, cmd /c C:\Users\user\AppData\Local\Temp\SqlServer.exe
write, C:\Users\user\AppData\Local\Temp\~xls.xlsx
execute, cmd /c C:\Users\user\AppData\Local\Temp\~xls.xlsx
execute, C:\Users\user\AppData\Local\Temp\SqlServer.exe
write, C:\ProgramData\Media Player\wmplayer.exe
write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url
execute, C:\Users\user\AppData\Local\Temp\~xls.xlsx
execute, "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
write, C:\Users\user\AppData\Local\Temp\~$~xls.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE535.tmp
write, C:\Users\user\AppData\Local\Temp\error008480_01.xml

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems}2{:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECC74F1ECC74F:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x00C\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057
write, SqlServer: C:\Users\user\AppData\Local\Temp\SqlServer.exe
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301070
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsbzt:
write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECF13E1ECF13E:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301071
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301106
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301057
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301058
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\1ECF821:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes1ECF821:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECF9431ECF943:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlagsMax Display: 25
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Max Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesLastPurgeTime: 23828998

Duplicate file:
Briefing-Notes.xlsx

285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81

Details
Name error008480_01.xml
Size 689 bytes
Type XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5 7e7be8d27133737b56d4ee3940b8542a
SHA1 c919acbb84c42132f8c5e4df2e381e3dc2f5ba11
SHA256 285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81
SHA512 a4eb7efec30dd223015d272855af586767084d893d0e15b6faae79b2bc69b2eee48b22760dee87313285a16be0da6c4ac2ce93cffab9ee3a17b314bbb50ec140
ssdeep 12:TMHdtz6fxVjd5lfeJati+KgyPCLGTmylMF6l38Z5PB2B2Blb:2dtz6fxBd5VsaGNCqsnB2B2Blb
Entropy 4.934094
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
97 53a4546d066fce5aa5bdc44694f353ca8761cd8451f33c0ef24c6106ea382dcb
97 ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb
96 cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9
94 f57e76cfc2e9dd4e8d9b1c504541d8848fae8fe44d026647b135ea9cff14a6e4
Relationships
285b07362f... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
Description

Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)

cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2

Tags

trojan

Details
Name SqlServer.exe
Name wmplayer.exe
Size 16384 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d1b579e01552f0ad4f005cfcecb2741b
SHA1 dde439706d5cbd9abd908a6c476d4073455ff09c
SHA256 f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2
SHA512 5655952a926847c412e31be39c7c00cd3f21321085df27b0ea4c2a3263077bc28af57006e58668b6a2b029050edf42f54086bfe32bcd1030e87b4295d1b64fa5
ssdeep 192:Os4ynIA+9KMW24hJEWFr1NLL12rP1oynz+:nrMb4hJzZNn121Z
Entropy 2.959396
Antivirus
Avira TR/Agent.16384.898
ESET a variant of Win32/Agent.WTO trojan
Ikarus Trojan.Win32.Agent
NANOAV Trojan.Win32.Agent.drjddl
TrendMicro TSPY_LI.3E72A676
TrendMicro House Call TSPY_LI.3E72A676
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2014-11-19 20:09:27-05:00
Import Hash 9fa2392b1c4c4a70ccaed2db6cc38fb8
PE Sections
MD5 Name Raw Size Entropy
cd69ddfbf11492f4fe8668b278883fcc header 4096 0.618909
1bc187594f2d00d7ce31bf1a2989c05e .text 4096 5.905148
87dc21f31afa1cd618994dfa69a1a974 .rdata 4096 2.471052
2d6e8e0f37278c8b844fa4ab7b1438ac .data 4096 0.907517
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
f18029b49e... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
f18029b49e... Dropped f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2
f18029b49e... Dropped_By f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2
Description

Process Tree:
- SqlServer.exe 2212 (2472)

SqlServer.exe (2212) API behavior:
NtCreateFile, C:\ProgramData\Media Player
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, C:\ProgramData\Media Player\wmplayer.exe
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url
NtCreateFile, C:\Windows\system32\tzres.dll

File activity:
write, C:\ProgramData\Media Player\wmplayer.exe
write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url

Duplicate file:
wmplayer.exe

e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2

Details
Name 3DADA823.emf
Name 581A9D3E.emf
Name 8EAC1637.emf
Name A7A1FD8E.emf
Name CD231BDC.emf
Name D4D72E9A.emf
Name EE6786AD.emf
Size 1496 bytes
Type Windows Enhanced Metafile (EMF) image data version 0x10000
MD5 aa44b60fff50e7bd714898d6d540bb45
SHA1 e251e7660e60059fd4ec6278a1338b1aa33f97b7
SHA256 e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
SHA512 c0a78b716c8e09a7e4b68262ea51d878b51fa2ce84638973dd809d2f06a9365eddadf1c8902c92fc4c4c9946107178aef3747a1c520f840348acebb2b76ae4b3
ssdeep 24:YXTLuvIlI+aZrXXJ4ySTWER+lDR4PqrV2gzeftkcvr18vt+z:YDlaJ4brEMguXz
Entropy 3.184906
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
e0e3b1b331... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
e0e3b1b331... Dropped_By 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
e0e3b1b331... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
e0e3b1b331... Dropped_By a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
e0e3b1b331... Dropped_By 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
e0e3b1b331... Dropped_By ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
e0e3b1b331... Dropped_By 632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4
Description

Process Tree:
- cmd.exe 2680 (2468)
- - cmd.exe 2612 (2680)

cmd.exe (2612) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

Duplicate files:
D4D72E9A.emf
3DADA823.emf
8EAC1637.emf
EE6786AD.emf
CD231BDC.emf
581A9D3E.emf

ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9

Details
Name MSComctlLib.exd
Size 168732 bytes
Type data
MD5 db8b1e4292c4f3ddf75c8761d96725b7
SHA1 c83f0922d009ff763223df5e4156ada7c8f7b5ba
SHA256 ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9
SHA512 b22dbc4b7a6bc43bc54d4bf887588919a1d25e0a833201d6a2f2905e3a02525b50595c6bd0ae3494c81276b132872df6c6b3389d9bcd1cf7defe791f13105134
ssdeep 1536:Ep8D8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EIBoZuE/5xWgNmOnG8Gmn
Entropy 4.759752
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
99 1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce
99 1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98
99 206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305
99 641ca61f849cad9cd7f23861281b41e8de48b567eaf2b29538c4fe05b1780151
99 dc420118d71690c1afa3865acf82070fc31dad2681efa0fa561afd78cef51909
99 fdc0e5e2709511f7085f80f6558ae0947c1b04dc920f9b7d1b41f2b944b45bee
Relationships
ae7c0faac4... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
Description

Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)

cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757

Details
Name xls.xlsx
Name ~Excel.xlsx
Name ~xls.xlsx
Size 12581 bytes
Type Zip archive data, at least v1.0 to extract
MD5 84694e84a1ece2e535300b3239a65bfe
SHA1 2556bebecef95f8030db0b285d9a1056325ba815
SHA256 a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
SHA512 d6ffead0bc94a531c963b9515001298ee5cd40233ae5dd0591b989e38c6720b2c120c59900cdfdfc31a53f3de26ac360d3569373963785d34ea8c21fe020131a
ssdeep 96:n00AiEkfEASbncCkfdbGdA1iha4haU63paTEFDIt0BldAXD4kS0Aqs4viODA3ts3:n0FeywCkfd6A2TYviIld6DNS0czzzzu
Entropy 6.041399
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
a0ee57b452... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
a0ee57b452... Dropped cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9
a0ee57b452... Dropped a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
a0ee57b452... Dropped_By a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
a0ee57b452... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
Description

Process Tree:
- EXCEL.EXE 2680 (2468)

EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\xls.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$xls.xlsx
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL
NtCreateFile, C:\Windows\system32\imageres.dll
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB27.tmp
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Users\user\AppData\Local\Temp\error026800_01.xml

File activity:
write, C:\Users\user\AppData\Local\Temp\~$xls.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB27.tmp
write, C:\Users\user\AppData\Local\Temp\error026800_01.xml

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsw~+:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1235BDE1235BDE:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235521
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235522
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery123637F123637F:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes123637F:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00B\x007\x005\x00F\x00-\x007\x00F\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery12364511236451:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelPlace MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelSecurityTrusted DocumentsLastPurgeTime: 23829016

Duplicate files:
xls.xlsx
~Excel.xlsx
~xls.xlsx
C:\Users\user\AppData\Local\Temp\~$~xls.xlsx

cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9

Details
Name error026800_01.xml
Size 688 bytes
Type XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5 edd1edc9b4bf0ce0248a2b16128b20f2
SHA1 5aa1bf61b29c55b2d630dae6d1ff9298f342fa9d
SHA256 cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9
SHA512 c2bb6c70a1120ca65e29c05dd1d8e889750cc3fbae4fd433160d62826f71e7ded113f307d9591140b106d29bd40003a0f74c236d3d812bf23a970321ead2501d
ssdeep 12:TMHdtz6fxVrd5lfeJ4i+KgyPCLGTmylMF6l38Z5PB2B2Blb:2dtz6fxpd5VsTNCqsnB2B2Blb
Entropy 4.923656
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
96 285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81
96 53a4546d066fce5aa5bdc44694f353ca8761cd8451f33c0ef24c6106ea382dcb
96 ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb
96 f57e76cfc2e9dd4e8d9b1c504541d8848fae8fe44d026647b135ea9cff14a6e4
Relationships
cfedd2b1c5... Dropped_By a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
Description

Process Tree:
- cmd.exe 2680 (2468)
- - cmd.exe 2612 (2680)

cmd.exe (2612) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858

Tags

CVE-2012-0158trojan

Details
Name Economic Action Plan 2015 and AECL funding.xlsx
Name Economic-Action-Plan-2015-and-AECL-funding.xlsx
Size 55622 bytes
Type Zip archive data, at least v1.0 to extract
MD5 333aadb2cb323c1822976e9c6be9e32c
SHA1 d402cbcfc0074c857ff05bdae5495227e26ef297
SHA256 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
SHA512 aba8899a9ebe1b021ffb016227045b1546ad336f6deb3ab5740cb41627364f9dc01a32349b09b31e28d0e21b0b7ad054ef501511e51004284958529e1a3a9564
ssdeep 1536:HFUdGJcG2bqa+OAF8G/tXEx9Rb9MfonzNPjwPf+13rh:6GJx2QqGybofczljhbh
Entropy 7.941998
Antivirus
McAfee Exploit-Shellcode.b
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
TrendMicro TROJ_CV.BC8636A1
TrendMicro House Call TROJ_CV.BC8636A1
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
96387d3759... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
96387d3759... Dropped 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
96387d3759... Dropped_By 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
96387d3759... Dropped dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060
Description

Process Tree:
- EXCEL.EXE 3660 (2476)

EXCEL.EXE (3660) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Economic-Action-Plan-2015-and-AECL-funding.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Economic-Action-Plan-2015-and-AECL-funding.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4D72E9A.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFDBA8A9B9701F1ED3.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

File activity:
write, C:\Users\user\AppData\Local\Temp\~$Economic-Action-Plan-2015-and-AECL-funding.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4D72E9A.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsw\x7f-:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3885E1A3885E:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x004\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057

Duplicate file:
Economic-Action-Plan-2015-and-AECL-funding.xlsx

dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060

Details
Name MSComctlLib.exd
Size 168732 bytes
Type data
MD5 9388d75b01fe8b6d35134d24c02a1f3e
SHA1 f8612f34878312343bc2e3b6cd3475d87d1bb921
SHA256 dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060
SHA512 928caf7f53318d68f5de29599f00610da4b65661c676f96987b0407c858bd0aa2d5d4313b98505e6cb6d96e6617bd8fa5a12e6f9ab12f8bb89141848baa0c0a6
ssdeep 1536:Ep8O8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EVBoZuE/5xWgNmOnG8Gmn
Entropy 4.759769
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
99 1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce
99 1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98
99 206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305
99 24cf08a72fbae51534df73ca8e150ad2db3548950dcd0d415da16ffa4747b7a4
99 d33f43fdf07c12f7c761f67b4928b0fc52baf0c065f87fc773422274d4ba00f2
99 fdc0e5e2709511f7085f80f6558ae0947c1b04dc920f9b7d1b41f2b944b45bee
Relationships
dd8a2661a0... Dropped_By 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
Description

Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)

cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a

Tags

CVE-2012-0158droppertrojan

Details
Name Electronic Tickets.xlsx
Name Electronic-Tickets.xlsx
Size 41047 bytes
Type Zip archive data, at least v1.0 to extract
MD5 fd14a2e69f8fd212db228d946689242f
SHA1 0ca32a7bd47a8dea2ea0c4395f1855b797af7bfe
SHA256 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
SHA512 3224c8d65b6cb8bc1c1b4e2fcb6e9c1f4357b6a5f1cac3daa1c325690c3729eb040e6cac73689757530923fcb2050626e78d638627ad5c6f532488ece861cb58
ssdeep 768:NILBezDz84OLhQxFVcbS7usGASmp7rgJyV8CG2dM8snriF/7rQJlX:NIIz84OtQnVcO7usGA/7eyCp2dunux7+
Entropy 7.905476
Antivirus
McAfee Exploit-Shellcode.b
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
Symantec Trojan.Mdropper
TrendMicro TROJ_CV.BC8636A1
TrendMicro House Call TROJ_CV.BC8636A1
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
4425fb588a... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
4425fb588a... Dropped a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
4425fb588a... Dropped a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a
4425fb588a... Dropped b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
4425fb588a... Dropped a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29
4425fb588a... Dropped 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
4425fb588a... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
4425fb588a... Dropped ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb
4425fb588a... Connected_To sharedisplay.crabdance.com
Description

Process Tree:
- EXCEL.EXE 2680 (2468)
- - cmd.exe 100 (2680)
- - - Outlook.exe 1156 (100)
- - cmd.exe 2580 (2680)
- - - EXCEL.EXE 1276 (2580)

EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB263.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Electronic-Tickets.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Electronic-Tickets.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DADA823.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF49E9F5ED09064C50.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\~Excel.xlsx

EXCEL.EXE (1276) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRBAE0.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\AppData\Local\Temp\~Excel.xlsx
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$~Excel.xlsx
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL
NtCreateFile, C:\Windows\system32\imageres.dll
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoCBB3.tmp
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\AppData\Local\Temp\error012760_01.xml
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini

cmd.exe (2580) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\cmd.exe
NtCreateFile, C:\Windows\INF\setupapi.app.log
NtCreateFile, C:\Windows\AppPatch\pcamain.sdb

Outlook.exe (1156) API behavior:
getaddrinfo, user-PC
getaddrinfo, sharedisplay.crabdance.com
NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\regsvr.exe
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url
NtCreateFile, C:\Users\user\AppData\Local\Tempaspnet_perf.ini
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
NtCreateFile, Nsi
NtCreateFile, C:\Windows\system32\en-US\urlmon.dll.mui

File activity:
write, C:\Users\user\AppData\Local\Temp\~$Electronic-Tickets.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DADA823.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
write, C:\Users\user\AppData\Local\Temp\Outlook.exe
execute, cmd /c C:\Users\user\AppData\Local\Temp\Outlook.exe
write, C:\Users\user\AppData\Local\Temp\~Excel.xlsx
execute, cmd /c C:\Users\user\AppData\Local\Temp\~Excel.xlsx
execute, C:\Users\user\AppData\Local\Temp\Outlook.exe
write, C:\Users\user\AppData\Local\Temp\regsvr.exe
write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url
execute, C:\Users\user\AppData\Local\Temp\~Excel.xlsx
execute, "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
write, C:\Users\user\AppData\Local\Temp\~$~Excel.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoCBB3.tmp
write, C:\Users\user\AppData\Local\Temp\error012760_01.xml

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsm`b:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA1DD4DA1DD4:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x005\x004\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521
write, Outlook: C:\Users\user\AppData\Local\Temp\Outlook.exe
write, HKEY_CURRENT_USER\Software\MicrosoftServerID: 14295685
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesUNCAsIntranet: 0
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesAutoDetect: 1
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235534
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsj9c:
write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA2C94DA2C94:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235535
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235570
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235521
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235522
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA35E3DA35E3:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesDA35E3:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA371ADA371A:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000\Software\Microsoft\Windows NT\CurrentVersionMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes538F6C892AD540068154C6670774E980:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000LastPurgeTime: 23829032

Duplicate file:
Electronic-Tickets.xlsx

a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a

Details
Name FireFox.url
Size 67 bytes
Type MS Windows 95 Internet shortcut, ASCII text, with CRLF line terminators
MD5 1af898d9128528b558b9dc69e5fff4a3
SHA1 16d10d145f6fe1c637516d92c3e986130de56844
SHA256 a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a
SHA512 db8f1a028482bc0989494622cde218d3d30eab201a8568eba731dc4bb2344f1bcf3227eefd8ef822ab86fc6e98f7bb8b85607671d83d504d130db634503db48c
ssdeep 3:HRAbABGQ4mmRDcpkVkE2J5xAIi1:HRYF1mIDOk/23fo
Entropy 4.558096
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
a57a8693a2... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
a57a8693a2... Dropped_By b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
Description

Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)

cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

Duplicate file:
FireFox.url

b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b

Tags

backdoordownloadertrojan

Details
Name Outlook.exe
Name regsvr.exe
Size 16384 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e92f629b59d5560be0938d91b10cbf6b
SHA1 99770f3293e9bc1d98f18e05f3706cdf0436a029
SHA256 b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
SHA512 efc1b3ebeb330fd81b5c9274f9442eb386952145ebabcad59cc02af80e20b9fc903c6b0c92c3c322d061260d1be65278447e492f3c5119c5aa7b0b5c0e1b98b8
ssdeep 384:pIExYslVXYKLa8PwnAhP6T2fLcvbT/z2S+v5C:pVYhjAZCS4vbT/SS+v5
Entropy 7.584727
Antivirus
Ahnlab Trojan/Win32.Agent
Avira TR/Dldr.Agent.16384.79
BitDefender Gen:Trojan.Heur.bmGfXzh!@hi
ESET a variant of Win32/TrojanDownloader.Sarhust.F trojan
Emsisoft Gen:Trojan.Heur.bmGfXzh!@hi (B)
Ikarus Trojan-Downloader.Win32.Sarhust
NANOAV Trojan.Win32.Sarhust.dqfszc
Symantec Backdoor.Darkmoon!g11
TrendMicro BKDR_DARKMOON.CX
TrendMicro House Call BKDR_DARKMOON.CX
VirusBlokAda BScope.TrojanDownloader.Sarhust
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2014-11-20 21:54:59-05:00
Import Hash bf924fd174676b993d0b52ce64981e79
PE Sections
MD5 Name Raw Size Entropy
93df4c3353d017a4c5ae4f02bc7b3be5 header 1024 2.192257
d41d8cd98f00b204e9800998ecf8427e .txt 0 0.000000
39a44749e7dc3e3e3680ca3e6347e73f .rdata 14848 7.841829
ed3ca45c281e057927ac5d9f5efe2f04 .data 512 2.602482
Packers/Compilers/Cryptors
UPX -> www.upx.sourceforge.net
Relationships
b4a2f1fd5a... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
b4a2f1fd5a... Dropped a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a
b4a2f1fd5a... Dropped b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
b4a2f1fd5a... Dropped_By b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
Description

Process Tree:
- Outlook.exe 3660 (2476)

Outlook.exe (3660) API behavior:
getaddrinfo, user-PC
getaddrinfo, sharedisplay.crabdance.com
NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\regsvr.exe
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url
NtCreateFile, C:\Users\user\AppData\Local\Tempaspnet_perf.ini
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
NtCreateFile, Nsi
NtCreateFile, C:\Windows\system32\en-US\urlmon.dll.mui

File activity:
write, C:\Users\user\AppData\Local\Temp\regsvr.exe
write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url

Registry activity:
write, HKEY_CURRENT_USER\Software\MicrosoftServerID: 35894213
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

Duplicate file:
regsvr.exe

a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29

Details
Name MSComctlLib.exd
Size 168732 bytes
Type data
MD5 aa81574288e16eca2ba5cd6ce883e187
SHA1 2eddfd6ceeb692d8fb108c3a68973ea81c40d3cb
SHA256 a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29
SHA512 121dc54b75e3fc58f11637e124394b55761dfd0dfcb701fd7c3434ba84093fe22e7f91073f799baa3dc9e844da288640e27df7df8dea7964a02ad457f2bfb067
ssdeep 1536:Ep8D8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EoBoZuE/5xWgNmOnG8Gmn
Entropy 4.759764
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
99 1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce
99 1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98
99 206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305
99 2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87
99 24cf08a72fbae51534df73ca8e150ad2db3548950dcd0d415da16ffa4747b7a4
99 2a5edeb74169258b17b39bd3c7cb33948e7b4f7fb507ff244662cdc3b7724d77
99 2e325bfb75e71651bc459566665700811240e0fd7098cc5b16fa8ca5d2236f62
Relationships
a8a277c10d... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
Description

Process Tree:
- cmd.exe 2680 (2468)
- - cmd.exe 2612 (2680)

cmd.exe (2612) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb

Details
Name error012760_01.xml
Size 691 bytes
Type XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5 08d54cd22dbf103b0a90f165ed1b77db
SHA1 a5340db9a7df79a8cd31aba5dced7a6df78cbb4d
SHA256 ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb
SHA512 edbcef407ef2e05d837c570f938b1a012b0201e4fb27c2a3d4cff23f2ae10d68780883a63675fb6e8f53852d3a7fb5379d3e748d44516f0522c3dc552797bd7d
ssdeep 12:TMHdtz6fxVBd5lfeJoti+KgyPCLGTmylMF6l38Z5PB2B2Blb:2dtz6fxLd5VsoGNCqsnB2B2Blb
Entropy 4.941871
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
97 285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81
99 53a4546d066fce5aa5bdc44694f353ca8761cd8451f33c0ef24c6106ea382dcb
96 cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9
94 f57e76cfc2e9dd4e8d9b1c504541d8848fae8fe44d026647b135ea9cff14a6e4
Relationships
ce7cee02be... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
Description

Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)

cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a

Tags

CVE-2012-0158

Details
Name Health Register Form.xlsx
Name Health-Register-Form.xlsx
Size 47331 bytes
Type Zip archive data, at least v1.0 to extract
MD5 f0636dd3057095069a7fb2f7620790b0
SHA1 79746748ba38522f164346dac1789eff9e1af0df
SHA256 a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
SHA512 362b02bea79eeb2bb59def545d22c8bac9fcd24c210bc963ae9af2d6d801cf709b642f726d403dc479d3ea2c372a649e2464a6e4277538651d3414d0d0b5069f
ssdeep 768:SobQS+DDDIJFPZD+3yHpb5rTC6H5pUdqrMHV96cptUr0fvGFD3rAJ+dECYkiT:SBsJFPZ8YM6ZmTHbLU4f+13rvpE
Entropy 7.925009
Antivirus
Ikarus Exploit.CVE-2012-0158.Gen2
McAfee Exploit-Shellcode.b
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
a261962d1f... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
a261962d1f... Dropped a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
a261962d1f... Dropped_By a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
a261962d1f... Dropped 1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce
a261962d1f... Dropped 4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c
Description

Process Tree:
- EXCEL.EXE 364 (2472)
- - cmd.exe 3060 (364)
- - - SqlServer.exe 1272 (3060)
- - cmd.exe 748 (364)

EXCEL.EXE (364) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Health-Register-Form.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL
NtCreateFile, C:\Windows\system32\imageres.dll
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB77.tmp
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EAC1637.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF8DC69AA1B12AE2DF.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx

SqlServer.exe (1272) API behavior:
getaddrinfo, user-PC
NtCreateFile, C:\Users\user\AppData\Local\Temp\logs\
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, Nsi
NtCreateFile, C:\DEVICE\NETBT_TCPIP_{EE3609C4-8FD2-4425-A052-503E93DD9F04}

File activity:
write, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB77.tmp
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EAC1637.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
write, C:\Users\user\AppData\Local\Temp\SqlServer.exe
execute, cmd /c C:\Users\user\AppData\Local\Temp\SqlServer.exe
write, C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx
execute, cmd /c C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx
execute, C:\Users\user\AppData\Local\Temp\SqlServer.exe

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsws1:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3885E1A3885E:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301057
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301058
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3901D1A3901D:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes1A3901D:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00B\x007\x005\x00F\x00-\x009\x004\x00E\x000\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057
write, SqlServer: C:\Users\user\AppData\Local\Temp\SqlServer.exe

Duplicate file:
Health-Register-Form.xlsx

1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce

Details
Name MSComctlLib.exd
Size 168732 bytes
Type data
MD5 2652869c4eba535b07b7dace41a28cd5
SHA1 98054054f8bcf1b2a8cf38bf8ee87daa80b80eee
SHA256 1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce
SHA512 5f4ed5a56faf3a70b6701a7a54c303c014e703200ef4921991e7d924799c60a14f61672a4cb6e7ea7ae78c2715dea3bef26b5585f14cf68c38ed49c311c34e87
ssdeep 1536:Ep8E8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EzBoZuE/5xWgNmOnG8Gmn
Entropy 4.759740
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
99 1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98
100 206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305
99 2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87
99 24cf08a72fbae51534df73ca8e150ad2db3548950dcd0d415da16ffa4747b7a4
99 2e325bfb75e71651bc459566665700811240e0fd7098cc5b16fa8ca5d2236f62
99 fdc0e5e2709511f7085f80f6558ae0947c1b04dc920f9b7d1b41f2b944b45bee
Relationships
1e22565e88... Dropped_By a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
Description

Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)

cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c

Details
Name Health Register Form.xlsx
Name Health-Register-Form.xlsx
Size 12846 bytes
Type Zip archive data, at least v2.0 to extract
MD5 abcf8848ad366aaedd7078c5e3d433bc
SHA1 e9584415cbfd1de4daa1e7dc29f4913f14846240
SHA256 4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c
SHA512 056bf778fe88a251c108bea68ffc24927a829664faf4dea75de1a89f67f13e6b5c8cc419712259e379634938338901f75aea7316ef7de7ec84b0abf66d1b6a2f
ssdeep 192:g5rgxo+7TF+jxy5MIstHPDRCybKI0iubkULcTivX2DEHLGlwMw:g5co4TSxwMI0DRPtPLTKXA0GlwMw
Entropy 7.872267
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
4b6576b854... Dropped_By a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
4b6576b854... Dropped 4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c
4b6576b854... Dropped_By 4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c
Description

Process Tree:
- EXCEL.EXE 3660 (2476)

EXCEL.EXE (3660) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB259.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Health-Register-Form.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.BUD
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\StdNames.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNoteNames.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNoteFilter.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNote.ini
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini

File activity:
write, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsy#;:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1110C4A1110C4A:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235570
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x009\x00D\x00B\x007\x001\x003\x00A\x000\x00-\x00F\x002\x00E\x008\x00-\x004\x00A\x002\x00C\x00-\x00A\x001\x00C\x002\x00-\x00F\x004\x003\x008\x00D\x00C\x00E\x00C\x002\x007\x00F\x007\x00}\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1110D631110D63:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelPlace MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelSecurityTrusted DocumentsLastPurgeTime: 23829052

Duplicate file:
Health-Register-Form.xlsx

7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09

Tags

CVE-2012-0158

Details
Name Meeting Schedule (8 ~ 19 Dec 2014).xlsx
Name Meeting-Schedule-8-19-Dec-2014.xlsx
Size 54270 bytes
Type Zip archive data, at least v1.0 to extract
MD5 b966130bb3c494c66aae7333e7022ef3
SHA1 d43df8f45a145c900cedc370219b2a0cb8711a6f
SHA256 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
SHA512 9a69b42352eaa1fcb94d108c4bb54cb54a45946cb3f235da4e89424b0bff66c7e1126cc77eec9f71af9b9451e9e273bc870ac72d6cf4ddc483f7b86b24c8d0ed
ssdeep 768:3CtweOY48GDFWX2ZRz5k8ftEp22hgKvxVVfywPbvcGvMvmkJhFyariJCVI:3C2YjGDHnEpbNvxHyCblvMOkfgarV6
Entropy 7.938566
Antivirus
McAfee Exploit-Shellcode.b
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
TrendMicro TROJ_CV.BC8636A1
TrendMicro House Call TROJ_CV.BC8636A1
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
7034f53d22... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
7034f53d22... Dropped 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
7034f53d22... Dropped_By 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
7034f53d22... Dropped b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c
Description

Process Tree:
- EXCEL.EXE 2680 (2468)

EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Meeting-Schedule-8-19-Dec-2014.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Meeting-Schedule-8-19-Dec-2014.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE6786AD.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF8957F815FB0DA594.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

File activity:
write, C:\Users\user\AppData\Local\Temp\~$Meeting-Schedule-8-19-Dec-2014.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE6786AD.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems!(::
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery21165682116568:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x008\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057

Duplicate file:
Meeting-Schedule-8-19-Dec-2014.xlsx

b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c

Details
Name MSComctlLib.exd
Size 168732 bytes
Type data
MD5 0f5f292d8ca4f233eb342f791f176b84
SHA1 1009a088a6119e1edf079dc725dea1170cc14621
SHA256 b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c
SHA512 eee6ad53c9ab7d2e59dedb3b8b99c1e552f059670e181f9c2b131dcfa76823461663422dace48ab3b7256b2127ab13ed7d212c749c2548e284d1e86a2121e593
ssdeep 1536:Ep8K8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EZBoZuE/5xWgNmOnG8Gmn
Entropy 4.759758
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
99 1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce
99 1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98
99 206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305
99 2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87
99 24cf08a72fbae51534df73ca8e150ad2db3548950dcd0d415da16ffa4747b7a4
99 2e325bfb75e71651bc459566665700811240e0fd7098cc5b16fa8ca5d2236f62
Relationships
b5f4e9a4de... Dropped_By 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
Description

Process Tree:
- cmd.exe 3660 (3768)
- - cmd.exe 2708 (3660)

cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801

Tags

CVE-2012-0158

Details
Name Tel list for HBS.xlsx
Name Tel-list-for-HBS.xlsx
Size 40058 bytes
Type Zip archive data, at least v1.0 to extract
MD5 0929a53e3ed6f5890fedddbf08261aed
SHA1 ad9758116e54ecd596a24563f13bf57c254d706b
SHA256 ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
SHA512 556637c4f4398af8a09930094f3a3fa085159982b45a0fadf38ddb31b8b0e537ac32a12d194e98e151f1561da1b1d026a532927fc518e76da1f186d976a683b3
ssdeep 768:6tH5UGxJBiVN0QF/m8EENsLffrd+au2ePAyA1FwnXtLP6FnXrAJOR:6V5jZUNFBWq63luJPAyemXtLStXrrR
Entropy 7.902359
Antivirus
McAfee Exploit-Shellcode.b
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
TrendMicro TROJ_CV.BC8636A1
TrendMicro House Call TROJ_CV.BC8636A1
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
ea28769e94... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
ea28769e94... Dropped ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
ea28769e94... Dropped_By ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
ea28769e94... Dropped 2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87
Description

Process Tree:
- EXCEL.EXE 2680 (2468)

EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Tel-list-for-HBS.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Tel-list-for-HBS.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD231BDC.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF82986D6839BE82B8.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

File activity:
write, C:\Users\user\AppData\Local\Temp\~$Tel-list-for-HBS.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD231BDC.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems!&+:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery2302E82302E8:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x007\x001\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521

Duplicate file:
Tel-list-for-HBS.xlsx

2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87

Details
Name MSComctlLib.exd
Size 168732 bytes
Type data
MD5 6e81bf814bca598c1fcc7f968601241e
SHA1 fc36a4502eb5e9a9186844c79beb26e804ed70dc
SHA256 2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87
SHA512 f4297bee11f642c9de0acb4d9f43a4ea03e97a6d9592981b35d84ff0b98050ff6c163a41d4244ae4e5a5eb5086fd278ed1219e36bf0b7bcb2e845e1774ff798e
ssdeep 1536:Ep8M8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:ErBoZuE/5xWgNmOnG8Gmn
Entropy 4.759762
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
99 2a5edeb74169258b17b39bd3c7cb33948e7b4f7fb507ff244662cdc3b7724d77
99 2e325bfb75e71651bc459566665700811240e0fd7098cc5b16fa8ca5d2236f62
99 37c59ad54a86c673c5f2420a6c617c7289b2ba66cdc69a94a8f630edc6c5576c
99 7e57e5cf63b6715d0070a10ed86cb73ecc2e23b49a152b0485a3fd31e9136129
Relationships
2491fa4ff5... Dropped_By ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
Description

Process Tree:
- cmd.exe 3660 (3768)
- - cmd.exe 2708 (3660)

cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4

Tags

CVE-2012-0158trojan

Details
Name UPDATED DLT as of 31 OCTOBER 2014(final).xlsx
Name UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx
Size 48045 bytes
Type Zip archive data, at least v1.0 to extract
MD5 b86e5e2d5f623a36a3e31bbbc7ae5877
SHA1 b6f23af9ca33e929897c52bd7beb67dd8128a11f
SHA256 632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4
SHA512 c6ef908446a74b762c26cfac083419f743fe0946a85013e0a094f583f667fd742c8edb7531d0c22e39fc7c33a61dcda55b3bb76b8974f4653e5f0787b47bd361
ssdeep 768:aI82H2VYbUmJ888RzPS8kSH/ccDHW+XO9AWmNgw036g0ms/J+RvFMwrCJhJ:ar2HcYhJ8zPjkSH/cc/vWmNg5ts/J+1k
Entropy 7.927029
Antivirus
McAfee Exploit-Shellcode.b
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
TrendMicro TROJ_CV.BC8636A1
TrendMicro House Call TROJ_CV.BC8636A1
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
632d6e5d5f... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
632d6e5d5f... Dropped 632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4
632d6e5d5f... Dropped_By 632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4
Description

Process Tree:
- EXCEL.EXE 2680 (2468)

EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\581A9D3E.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFA0ED67C86B701B46.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

File activity:
write, C:\Users\user\AppData\Local\Temp\~$UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\581A9D3E.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemswr+:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryA32F5EA32F5E:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x008\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521

Duplicate file:
UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx

sharedisplay.crabdance.com

Tags

command-and-control

Relationships
sharedisplay.crabdance.com Connected_From 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a

Relationship Summary

d98266f962... Dropped d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
d98266f962... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
d98266f962... Dropped f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2
d98266f962... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
d98266f962... Dropped ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9
d98266f962... Dropped a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
d98266f962... Dropped 285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81
285b07362f... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
f18029b49e... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
f18029b49e... Dropped f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2
f18029b49e... Dropped_By f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2
e0e3b1b331... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
e0e3b1b331... Dropped_By 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
e0e3b1b331... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
e0e3b1b331... Dropped_By a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
e0e3b1b331... Dropped_By 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
e0e3b1b331... Dropped_By ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
e0e3b1b331... Dropped_By 632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4
ae7c0faac4... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
a0ee57b452... Dropped_By d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
a0ee57b452... Dropped cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9
a0ee57b452... Dropped a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
a0ee57b452... Dropped_By a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
a0ee57b452... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
cfedd2b1c5... Dropped_By a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
96387d3759... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
96387d3759... Dropped 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
96387d3759... Dropped_By 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
96387d3759... Dropped dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060
dd8a2661a0... Dropped_By 96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
4425fb588a... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
4425fb588a... Dropped a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
4425fb588a... Dropped a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a
4425fb588a... Dropped b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
4425fb588a... Dropped a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29
4425fb588a... Dropped 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
4425fb588a... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
4425fb588a... Dropped ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb
4425fb588a... Connected_To sharedisplay.crabdance.com
a57a8693a2... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
a57a8693a2... Dropped_By b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
b4a2f1fd5a... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
b4a2f1fd5a... Dropped a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a
b4a2f1fd5a... Dropped b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
b4a2f1fd5a... Dropped_By b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
a8a277c10d... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
ce7cee02be... Dropped_By 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
a261962d1f... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
a261962d1f... Dropped a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
a261962d1f... Dropped_By a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
a261962d1f... Dropped 1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce
a261962d1f... Dropped 4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c
1e22565e88... Dropped_By a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
4b6576b854... Dropped_By a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
4b6576b854... Dropped 4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c
4b6576b854... Dropped_By 4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c
7034f53d22... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
7034f53d22... Dropped 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
7034f53d22... Dropped_By 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
7034f53d22... Dropped b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c
b5f4e9a4de... Dropped_By 7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
ea28769e94... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
ea28769e94... Dropped ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
ea28769e94... Dropped_By ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
ea28769e94... Dropped 2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87
2491fa4ff5... Dropped_By ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
632d6e5d5f... Dropped e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
632d6e5d5f... Dropped 632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4
632d6e5d5f... Dropped_By 632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4
sharedisplay.crabdance.com Connected_From 4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a

Conclusion

None

Mitigation

None

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Revisions

May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No