MIFR-00435108-1.v2

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Description

This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.

None

This report contains preliminary analysis and is not intended to be a complete description of the submitted artifacts' capabilities. Results may be incomplete due to the artifacts' complexity or ability to defend against analysis techniques. If additional information is required, please contact the CISA Security Operations Center using the information at the end of this report.



Analysis Environment: 32_bit, windows_7

For a downloadable copy of IOCs, see MIFR-00435108-1.v2.stix.

Submitted Files (22)

1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce (MSComctlLib.exd)

2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 (MSComctlLib.exd)

285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81 (error008480_01.xml)

4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a (Electronic Tickets.xlsx)

4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c (Health Register Form.xlsx)

632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 (UPDATED DLT as of 31 OCTOBER 2...)

7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 (Meeting Schedule (8 ~ 19 Dec 2...)

96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 (Economic Action Plan 2015 and ...)

a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 (~xls.xlsx)

a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a (Health Register Form.xlsx)

a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a (FireFox.url)

a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29 (MSComctlLib.exd)

ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9 (MSComctlLib.exd)

b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b (Outlook.exe)

b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c (MSComctlLib.exd)

ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb (error012760_01.xml)

cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9 (error026800_01.xml)

d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb (Briefing Notes.xlsx)

dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060 (MSComctlLib.exd)

e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 (A7A1FD8E.emf)

ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 (Tel list for HBS.xlsx)

f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 (SqlServer.exe)

Domains (1)

sharedisplay.crabdance.com

d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb

Tags

CVE-2012-0158trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 364 (2468)

- - cmd.exe 1308 (364)

- - - SqlServer.exe 2228 (1308)

- - cmd.exe 2340 (364)

- - - EXCEL.EXE 848 (2340)



EXCEL.EXE (848) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRDB62.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\AppData\Local\Temp\~xls.xlsx

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$~xls.xlsx

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL

NtCreateFile, C:\Windows\system32\imageres.dll

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE535.tmp

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\Users\user\AppData\Local\Temp\error008480_01.xml

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini



EXCEL.EXE (364) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB353.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\Briefing-Notes.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Briefing-Notes.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7A1FD8E.emf

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFD6EA0462A523DB58.TMP

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\stdole2.tlb

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3

NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0

NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe

NtCreateFile, C:\Users\user\AppData\Local\Temp\~xls.xlsx



cmd.exe (2340) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\cmd.exe

NtCreateFile, C:\Windows\INF\setupapi.app.log

NtCreateFile, C:\Windows\AppPatch\pcamain.sdb



SqlServer.exe (2228) API behavior:

NtCreateFile, C:\ProgramData\Media Player

NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe

NtCreateFile, C:\ProgramData\Media Player\wmplayer.exe

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url

NtCreateFile, C:\Windows\system32\tzres.dll



File activity:

write, C:\Users\user\AppData\Local\Temp\~$Briefing-Notes.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7A1FD8E.emf

write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

write, C:\Users\user\AppData\Local\Temp\SqlServer.exe

execute, cmd /c C:\Users\user\AppData\Local\Temp\SqlServer.exe

write, C:\Users\user\AppData\Local\Temp\~xls.xlsx

execute, cmd /c C:\Users\user\AppData\Local\Temp\~xls.xlsx

execute, C:\Users\user\AppData\Local\Temp\SqlServer.exe

write, C:\ProgramData\Media Player\wmplayer.exe

write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url

execute, C:\Users\user\AppData\Local\Temp\~xls.xlsx

execute, "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde

write, C:\Users\user\AppData\Local\Temp\~$~xls.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE535.tmp

write, C:\Users\user\AppData\Local\Temp\error008480_01.xml



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems}2{:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECC74F1ECC74F:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x00C\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057

write, SqlServer: C:\Users\user\AppData\Local\Temp\SqlServer.exe

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301070

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsbzt:

write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECF13E1ECF13E:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301071

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301106

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301057

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301058

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\1ECF821:

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes1ECF821:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECF9431ECF943:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlagsMax Display: 25

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Max Display: 25

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesLastPurgeTime: 23828998



Duplicate file:

Briefing-Notes.xlsx

285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 3660 (2476)

- - cmd.exe 2708 (3660)



cmd.exe (2708) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

Process Tree:

- SqlServer.exe 2212 (2472)



SqlServer.exe (2212) API behavior:

NtCreateFile, C:\ProgramData\Media Player

NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe

NtCreateFile, C:\ProgramData\Media Player\wmplayer.exe

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url

NtCreateFile, C:\Windows\system32\tzres.dll



File activity:

write, C:\ProgramData\Media Player\wmplayer.exe

write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url



Duplicate file:

wmplayer.exe

e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- cmd.exe 2680 (2468)

- - cmd.exe 2612 (2680)



cmd.exe (2612) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe



Duplicate files:

D4D72E9A.emf

3DADA823.emf

8EAC1637.emf

EE6786AD.emf

CD231BDC.emf

581A9D3E.emf

ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 3660 (2476)

- - cmd.exe 2708 (3660)



cmd.exe (2708) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 2680 (2468)



EXCEL.EXE (2680) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\xls.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$xls.xlsx

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL

NtCreateFile, C:\Windows\system32\imageres.dll

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB27.tmp

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Users\user\AppData\Local\Temp\error026800_01.xml



File activity:

write, C:\Users\user\AppData\Local\Temp\~$xls.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB27.tmp

write, C:\Users\user\AppData\Local\Temp\error026800_01.xml



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsw~+:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1235BDE1235BDE:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235521

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235522

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery123637F123637F:

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes123637F:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00B\x007\x005\x00F\x00-\x007\x00F\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery12364511236451:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelPlace MRUMax Display: 25

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelSecurityTrusted DocumentsLastPurgeTime: 23829016



Duplicate files:

xls.xlsx

~Excel.xlsx

~xls.xlsx

C:\Users\user\AppData\Local\Temp\~$~xls.xlsx

cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 2680 (2468)

- - cmd.exe 2612 (2680)



cmd.exe (2612) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858

Tags

CVE-2012-0158trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 3660 (2476)



EXCEL.EXE (3660) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\Economic-Action-Plan-2015-and-AECL-funding.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Economic-Action-Plan-2015-and-AECL-funding.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4D72E9A.emf

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFDBA8A9B9701F1ED3.TMP

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\stdole2.tlb

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3

NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0

NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd



File activity:

write, C:\Users\user\AppData\Local\Temp\~$Economic-Action-Plan-2015-and-AECL-funding.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4D72E9A.emf

write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsw\x7f-:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3885E1A3885E:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x004\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057



Duplicate file:

Economic-Action-Plan-2015-and-AECL-funding.xlsx

dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 3660 (2476)

- - cmd.exe 2708 (3660)



cmd.exe (2708) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a

Tags

CVE-2012-0158droppertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 2680 (2468)

- - cmd.exe 100 (2680)

- - - Outlook.exe 1156 (100)

- - cmd.exe 2580 (2680)

- - - EXCEL.EXE 1276 (2580)



EXCEL.EXE (2680) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB263.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\Electronic-Tickets.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Electronic-Tickets.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DADA823.emf

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF49E9F5ED09064C50.TMP

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\stdole2.tlb

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3

NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0

NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe

NtCreateFile, C:\Users\user\AppData\Local\Temp\~Excel.xlsx



EXCEL.EXE (1276) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRBAE0.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\AppData\Local\Temp\~Excel.xlsx

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$~Excel.xlsx

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL

NtCreateFile, C:\Windows\system32\imageres.dll

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoCBB3.tmp

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\Users\user\AppData\Local\Temp\error012760_01.xml

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini



cmd.exe (2580) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\cmd.exe

NtCreateFile, C:\Windows\INF\setupapi.app.log

NtCreateFile, C:\Windows\AppPatch\pcamain.sdb



Outlook.exe (1156) API behavior:

getaddrinfo, user-PC

getaddrinfo, sharedisplay.crabdance.com

NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe

NtCreateFile, C:\Users\user\AppData\Local\Temp\regsvr.exe

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url

NtCreateFile, C:\Users\user\AppData\Local\Tempaspnet_perf.ini

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk

NtCreateFile, Nsi

NtCreateFile, C:\Windows\system32\en-US\urlmon.dll.mui



File activity:

write, C:\Users\user\AppData\Local\Temp\~$Electronic-Tickets.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DADA823.emf

write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

write, C:\Users\user\AppData\Local\Temp\Outlook.exe

execute, cmd /c C:\Users\user\AppData\Local\Temp\Outlook.exe

write, C:\Users\user\AppData\Local\Temp\~Excel.xlsx

execute, cmd /c C:\Users\user\AppData\Local\Temp\~Excel.xlsx

execute, C:\Users\user\AppData\Local\Temp\Outlook.exe

write, C:\Users\user\AppData\Local\Temp\regsvr.exe

write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url

execute, C:\Users\user\AppData\Local\Temp\~Excel.xlsx

execute, "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde

write, C:\Users\user\AppData\Local\Temp\~$~Excel.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoCBB3.tmp

write, C:\Users\user\AppData\Local\Temp\error012760_01.xml



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsm`b:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA1DD4DA1DD4:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x005\x004\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521

write, Outlook: C:\Users\user\AppData\Local\Temp\Outlook.exe

write, HKEY_CURRENT_USER\Software\MicrosoftServerID: 14295685

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesUNCAsIntranet: 0

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesAutoDetect: 1

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235534

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsj9c:

write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA2C94DA2C94:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235535

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235570

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235521

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235522

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA35E3DA35E3:

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesDA35E3:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA371ADA371A:

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000\Software\Microsoft\Windows NT\CurrentVersionMax Display: 25

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes538F6C892AD540068154C6670774E980:

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000LastPurgeTime: 23829032



Duplicate file:

Electronic-Tickets.xlsx

a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- cmd.exe 3660 (2476)

- - cmd.exe 2708 (3660)



cmd.exe (2708) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe



Duplicate file:

FireFox.url

b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b

Tags

backdoordownloadertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

Process Tree:

- Outlook.exe 3660 (2476)



Outlook.exe (3660) API behavior:

getaddrinfo, user-PC

getaddrinfo, sharedisplay.crabdance.com

NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe

NtCreateFile, C:\Users\user\AppData\Local\Temp\regsvr.exe

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url

NtCreateFile, C:\Users\user\AppData\Local\Tempaspnet_perf.ini

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk

NtCreateFile, Nsi

NtCreateFile, C:\Windows\system32\en-US\urlmon.dll.mui



File activity:

write, C:\Users\user\AppData\Local\Temp\regsvr.exe

write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url



Registry activity:

write, HKEY_CURRENT_USER\Software\MicrosoftServerID: 35894213

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1



Duplicate file:

regsvr.exe

a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 2680 (2468)

- - cmd.exe 2612 (2680)



cmd.exe (2612) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 3660 (2476)

- - cmd.exe 2708 (3660)



cmd.exe (2708) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a

Tags

CVE-2012-0158

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 364 (2472)

- - cmd.exe 3060 (364)

- - - SqlServer.exe 1272 (3060)

- - cmd.exe 748 (364)



EXCEL.EXE (364) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\Health-Register-Form.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL

NtCreateFile, C:\Windows\system32\imageres.dll

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB77.tmp

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EAC1637.emf

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF8DC69AA1B12AE2DF.TMP

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\stdole2.tlb

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3

NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0

NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe

NtCreateFile, C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx



SqlServer.exe (1272) API behavior:

getaddrinfo, user-PC

NtCreateFile, C:\Users\user\AppData\Local\Temp\logs\

NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe

NtCreateFile, Nsi

NtCreateFile, C:\DEVICE\NETBT_TCPIP_{EE3609C4-8FD2-4425-A052-503E93DD9F04}



File activity:

write, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB77.tmp

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EAC1637.emf

write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd

write, C:\Users\user\AppData\Local\Temp\SqlServer.exe

execute, cmd /c C:\Users\user\AppData\Local\Temp\SqlServer.exe

write, C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx

execute, cmd /c C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx

execute, C:\Users\user\AppData\Local\Temp\SqlServer.exe



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsws1:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3885E1A3885E:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301057

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301058

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3901D1A3901D:

write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes1A3901D:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00B\x007\x005\x00F\x00-\x009\x004\x00E\x000\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057

write, SqlServer: C:\Users\user\AppData\Local\Temp\SqlServer.exe



Duplicate file:

Health-Register-Form.xlsx

1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 3660 (2476)

- - cmd.exe 2708 (3660)



cmd.exe (2708) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 3660 (2476)



EXCEL.EXE (3660) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB259.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\Health-Register-Form.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx

NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.BUD

NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.gpd

NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\StdNames.gpd

NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNoteNames.gpd

NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNoteFilter.gpd

NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNote.ini

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini



File activity:

write, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsy#;:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1110C4A1110C4A:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235570

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x009\x00D\x00B\x007\x001\x003\x00A\x000\x00-\x00F\x002\x00E\x008\x00-\x004\x00A\x002\x00C\x00-\x00A\x001\x00C\x002\x00-\x00F\x004\x003\x008\x00D\x00C\x00E\x00C\x002\x007\x00F\x007\x00}\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1110D631110D63:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelPlace MRUMax Display: 25

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelSecurityTrusted DocumentsLastPurgeTime: 23829052



Duplicate file:

Health-Register-Form.xlsx

7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09

Tags

CVE-2012-0158

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 2680 (2468)



EXCEL.EXE (2680) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\Meeting-Schedule-8-19-Dec-2014.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Meeting-Schedule-8-19-Dec-2014.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE6786AD.emf

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF8957F815FB0DA594.TMP

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\stdole2.tlb

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3

NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0

NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd



File activity:

write, C:\Users\user\AppData\Local\Temp\~$Meeting-Schedule-8-19-Dec-2014.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE6786AD.emf

write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems!(::

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery21165682116568:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x008\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057



Duplicate file:

Meeting-Schedule-8-19-Dec-2014.xlsx

b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 3660 (3768)

- - cmd.exe 2708 (3660)



cmd.exe (2708) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801

Tags

CVE-2012-0158

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 2680 (2468)



EXCEL.EXE (2680) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\Tel-list-for-HBS.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Tel-list-for-HBS.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD231BDC.emf

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF82986D6839BE82B8.TMP

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\stdole2.tlb

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3

NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0

NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd



File activity:

write, C:\Users\user\AppData\Local\Temp\~$Tel-list-for-HBS.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD231BDC.emf

write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems!&+:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery2302E82302E8:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x007\x001\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521



Duplicate file:

Tel-list-for-HBS.xlsx

2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

Process Tree:

- cmd.exe 3660 (3768)

- - cmd.exe 2708 (3660)



cmd.exe (2708) API behavior:

NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll



File activity:

execute, cmd.exe

632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4

Tags

CVE-2012-0158trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

Process Tree:

- EXCEL.EXE 2680 (2468)



EXCEL.EXE (2680) API behavior:

NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp

NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL

NtCreateFile, C:\Windows\Fonts\staticcache.dat

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config

NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui

NtCreateFile, C:\Windows\system32\rsaenh.dll

NtCreateFile, MountPointManager

NtCreateFile, C:\

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

NtCreateFile, C:\Users\desktop.ini

NtCreateFile, C:\Users

NtCreateFile, C:\Users\user

NtCreateFile, C:\Users\user\Desktop\desktop.ini

NtCreateFile, C:\Users\user\Documents

NtCreateFile, C:\Users\user\AppData

NtCreateFile, C:\Users\user\AppData\Local

NtCreateFile, C:\Users\user\AppData\Local\Temp

NtCreateFile, C:\Users\user\AppData\Local\Temp\UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Temp\~$UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx

NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\581A9D3E.emf

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd

NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\Searches\desktop.ini

NtCreateFile, C:\Users\user\Videos\desktop.ini

NtCreateFile, C:\Users\user\Pictures\desktop.ini

NtCreateFile, C:\Users\user\Contacts\desktop.ini

NtCreateFile, C:\Users\user\Favorites\desktop.ini

NtCreateFile, C:\Users\user\Music\desktop.ini

NtCreateFile, C:\Users\user\Downloads\desktop.ini

NtCreateFile, C:\Users\user\Documents\desktop.ini

NtCreateFile, C:\Users\user\Links\desktop.ini

NtCreateFile, C:\Users\user\Saved Games\desktop.ini

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFA0ED67C86B701B46.TMP

NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

NtCreateFile, C:\Windows\system32\stdole2.tlb

NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3

NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE

NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0

NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX

NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd



File activity:

write, C:\Users\user\AppData\Local\Temp\~$UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx

write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\581A9D3E.emf

write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd



Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemswr+:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryA32F5EA32F5E:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x008\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521



Duplicate file:

UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx

sharedisplay.crabdance.com

Tags

command-and-control

Relationships

None

None

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• [email protected] (UNCLASS)
• [email protected] (SIPRNET)
• [email protected] (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or [email protected].

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: [email protected]
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.