Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.
None
This report contains preliminary analysis and is not intended to be a complete description of the submitted artifacts' capabilities. Results may be incomplete due to the artifacts' complexity or ability to defend against analysis techniques. If additional information is required, please contact the CISA Security Operations Center using the information at the end of this report.
Analysis Environment: 32_bit, windows_7
For a downloadable copy of IOCs, see MIFR-00435108-1.v2.stix.
Submitted Files (22)
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce (MSComctlLib.exd)
2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 (MSComctlLib.exd)
285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81 (error008480_01.xml)
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a (Electronic Tickets.xlsx)
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c (Health Register Form.xlsx)
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 (UPDATED DLT as of 31 OCTOBER 2...)
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 (Meeting Schedule (8 ~ 19 Dec 2...)
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 (Economic Action Plan 2015 and ...)
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 (~xls.xlsx)
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a (Health Register Form.xlsx)
a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a (FireFox.url)
a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29 (MSComctlLib.exd)
ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9 (MSComctlLib.exd)
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b (Outlook.exe)
b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c (MSComctlLib.exd)
ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb (error012760_01.xml)
cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9 (error026800_01.xml)
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb (Briefing Notes.xlsx)
dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060 (MSComctlLib.exd)
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 (A7A1FD8E.emf)
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 (Tel list for HBS.xlsx)
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 (SqlServer.exe)
Domains (1)
sharedisplay.crabdance.com
Findings
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb
Tags
CVE-2012-0158trojan
Details
Name |
Briefing Notes.xlsx |
Name |
Briefing-Notes.xlsx |
Size |
40047 bytes |
Type |
Zip archive data, at least v1.0 to extract |
MD5 |
5a2bd115d0ccb413bc9c33da3db431a6 |
SHA1 |
72693b2257ad05594255ce42b1b8f78cef05654f |
SHA256 |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
SHA512 |
638966ce407cf903462be4abf6bf8fcbde84678b1b5ab2a1fb096ef5ebc0156ed9ae5ad33fa95fd04f068006ef31c8b4e8e0ce145eed8e7401a64ffa02989121 |
ssdeep |
768:pUCyOM3zmt0dcUEpuPzvIokQ4O69ny+0aBdDeBvFs0rKJyah:p3MZd/4uPzuOnzmDexm0r9K |
Entropy |
7.902461 |
Antivirus
McAfee |
Exploit-Shellcode.b |
NANOAV |
Exploit.ComObj.CVE-2012-0158.hzuf |
TrendMicro |
TROJ_CV.BC8636A1 |
TrendMicro House Call |
TROJ_CV.BC8636A1 |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
d98266f962... |
Dropped |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
d98266f962... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
d98266f962... |
Dropped |
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 |
d98266f962... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
d98266f962... |
Dropped |
ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9 |
d98266f962... |
Dropped |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
d98266f962... |
Dropped |
285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81 |
Description
Process Tree:
- EXCEL.EXE 364 (2468)
- - cmd.exe 1308 (364)
- - - SqlServer.exe 2228 (1308)
- - cmd.exe 2340 (364)
- - - EXCEL.EXE 848 (2340)
EXCEL.EXE (848) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRDB62.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\AppData\Local\Temp\~xls.xlsx
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$~xls.xlsx
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL
NtCreateFile, C:\Windows\system32\imageres.dll
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE535.tmp
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\AppData\Local\Temp\error008480_01.xml
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
EXCEL.EXE (364) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB353.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Briefing-Notes.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Briefing-Notes.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7A1FD8E.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFD6EA0462A523DB58.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\~xls.xlsx
cmd.exe (2340) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\cmd.exe
NtCreateFile, C:\Windows\INF\setupapi.app.log
NtCreateFile, C:\Windows\AppPatch\pcamain.sdb
SqlServer.exe (2228) API behavior:
NtCreateFile, C:\ProgramData\Media Player
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, C:\ProgramData\Media Player\wmplayer.exe
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url
NtCreateFile, C:\Windows\system32\tzres.dll
File activity:
write, C:\Users\user\AppData\Local\Temp\~$Briefing-Notes.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7A1FD8E.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
write, C:\Users\user\AppData\Local\Temp\SqlServer.exe
execute, cmd /c C:\Users\user\AppData\Local\Temp\SqlServer.exe
write, C:\Users\user\AppData\Local\Temp\~xls.xlsx
execute, cmd /c C:\Users\user\AppData\Local\Temp\~xls.xlsx
execute, C:\Users\user\AppData\Local\Temp\SqlServer.exe
write, C:\ProgramData\Media Player\wmplayer.exe
write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url
execute, C:\Users\user\AppData\Local\Temp\~xls.xlsx
execute, "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
write, C:\Users\user\AppData\Local\Temp\~$~xls.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE535.tmp
write, C:\Users\user\AppData\Local\Temp\error008480_01.xml
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems}2{:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECC74F1ECC74F:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x00C\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057
write, SqlServer: C:\Users\user\AppData\Local\Temp\SqlServer.exe
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301070
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsbzt:
write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECF13E1ECF13E:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301071
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301106
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301057
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301058
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\1ECF821:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes1ECF821:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1ECF9431ECF943:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlagsMax Display: 25
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Max Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesLastPurgeTime: 23828998
Duplicate file:
Briefing-Notes.xlsx
285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81
Details
Name |
error008480_01.xml |
Size |
689 bytes |
Type |
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators |
MD5 |
7e7be8d27133737b56d4ee3940b8542a |
SHA1 |
c919acbb84c42132f8c5e4df2e381e3dc2f5ba11 |
SHA256 |
285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81 |
SHA512 |
a4eb7efec30dd223015d272855af586767084d893d0e15b6faae79b2bc69b2eee48b22760dee87313285a16be0da6c4ac2ce93cffab9ee3a17b314bbb50ec140 |
ssdeep |
12:TMHdtz6fxVjd5lfeJati+KgyPCLGTmylMF6l38Z5PB2B2Blb:2dtz6fxBd5VsaGNCqsnB2B2Blb |
Entropy |
4.934094 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
97 |
53a4546d066fce5aa5bdc44694f353ca8761cd8451f33c0ef24c6106ea382dcb |
97 |
ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb |
96 |
cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9 |
94 |
f57e76cfc2e9dd4e8d9b1c504541d8848fae8fe44d026647b135ea9cff14a6e4 |
Relationships
285b07362f... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
Description
Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)
cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2
Tags
trojan
Details
Name |
SqlServer.exe |
Name |
wmplayer.exe |
Size |
16384 bytes |
Type |
PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 |
d1b579e01552f0ad4f005cfcecb2741b |
SHA1 |
dde439706d5cbd9abd908a6c476d4073455ff09c |
SHA256 |
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 |
SHA512 |
5655952a926847c412e31be39c7c00cd3f21321085df27b0ea4c2a3263077bc28af57006e58668b6a2b029050edf42f54086bfe32bcd1030e87b4295d1b64fa5 |
ssdeep |
192:Os4ynIA+9KMW24hJEWFr1NLL12rP1oynz+:nrMb4hJzZNn121Z |
Entropy |
2.959396 |
Antivirus
Avira |
TR/Agent.16384.898 |
ESET |
a variant of Win32/Agent.WTO trojan |
Ikarus |
Trojan.Win32.Agent |
NANOAV |
Trojan.Win32.Agent.drjddl |
TrendMicro |
TSPY_LI.3E72A676 |
TrendMicro House Call |
TSPY_LI.3E72A676 |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2014-11-19 20:09:27-05:00 |
Import Hash |
9fa2392b1c4c4a70ccaed2db6cc38fb8 |
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
cd69ddfbf11492f4fe8668b278883fcc |
header |
4096 |
0.618909 |
1bc187594f2d00d7ce31bf1a2989c05e |
.text |
4096 |
5.905148 |
87dc21f31afa1cd618994dfa69a1a974 |
.rdata |
4096 |
2.471052 |
2d6e8e0f37278c8b844fa4ab7b1438ac |
.data |
4096 |
0.907517 |
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0 |
Relationships
f18029b49e... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
f18029b49e... |
Dropped |
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 |
f18029b49e... |
Dropped_By |
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 |
Description
Process Tree:
- SqlServer.exe 2212 (2472)
SqlServer.exe (2212) API behavior:
NtCreateFile, C:\ProgramData\Media Player
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, C:\ProgramData\Media Player\wmplayer.exe
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url
NtCreateFile, C:\Windows\system32\tzres.dll
File activity:
write, C:\ProgramData\Media Player\wmplayer.exe
write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.url
Duplicate file:
wmplayer.exe
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2
Details
Name |
3DADA823.emf |
Name |
581A9D3E.emf |
Name |
8EAC1637.emf |
Name |
A7A1FD8E.emf |
Name |
CD231BDC.emf |
Name |
D4D72E9A.emf |
Name |
EE6786AD.emf |
Size |
1496 bytes |
Type |
Windows Enhanced Metafile (EMF) image data version 0x10000 |
MD5 |
aa44b60fff50e7bd714898d6d540bb45 |
SHA1 |
e251e7660e60059fd4ec6278a1338b1aa33f97b7 |
SHA256 |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
SHA512 |
c0a78b716c8e09a7e4b68262ea51d878b51fa2ce84638973dd809d2f06a9365eddadf1c8902c92fc4c4c9946107178aef3747a1c520f840348acebb2b76ae4b3 |
ssdeep |
24:YXTLuvIlI+aZrXXJ4ySTWER+lDR4PqrV2gzeftkcvr18vt+z:YDlaJ4brEMguXz |
Entropy |
3.184906 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
e0e3b1b331... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
e0e3b1b331... |
Dropped_By |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
e0e3b1b331... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
e0e3b1b331... |
Dropped_By |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
e0e3b1b331... |
Dropped_By |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
e0e3b1b331... |
Dropped_By |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
e0e3b1b331... |
Dropped_By |
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 |
Description
Process Tree:
- cmd.exe 2680 (2468)
- - cmd.exe 2612 (2680)
cmd.exe (2612) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
Duplicate files:
D4D72E9A.emf
3DADA823.emf
8EAC1637.emf
EE6786AD.emf
CD231BDC.emf
581A9D3E.emf
ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9
Details
Name |
MSComctlLib.exd |
Size |
168732 bytes |
Type |
data |
MD5 |
db8b1e4292c4f3ddf75c8761d96725b7 |
SHA1 |
c83f0922d009ff763223df5e4156ada7c8f7b5ba |
SHA256 |
ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9 |
SHA512 |
b22dbc4b7a6bc43bc54d4bf887588919a1d25e0a833201d6a2f2905e3a02525b50595c6bd0ae3494c81276b132872df6c6b3389d9bcd1cf7defe791f13105134 |
ssdeep |
1536:Ep8D8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EIBoZuE/5xWgNmOnG8Gmn |
Entropy |
4.759752 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
99 |
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce |
99 |
1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98 |
99 |
206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305 |
99 |
641ca61f849cad9cd7f23861281b41e8de48b567eaf2b29538c4fe05b1780151 |
99 |
dc420118d71690c1afa3865acf82070fc31dad2681efa0fa561afd78cef51909 |
99 |
fdc0e5e2709511f7085f80f6558ae0947c1b04dc920f9b7d1b41f2b944b45bee |
Relationships
ae7c0faac4... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
Description
Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)
cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757
Details
Name |
xls.xlsx |
Name |
~Excel.xlsx |
Name |
~xls.xlsx |
Size |
12581 bytes |
Type |
Zip archive data, at least v1.0 to extract |
MD5 |
84694e84a1ece2e535300b3239a65bfe |
SHA1 |
2556bebecef95f8030db0b285d9a1056325ba815 |
SHA256 |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
SHA512 |
d6ffead0bc94a531c963b9515001298ee5cd40233ae5dd0591b989e38c6720b2c120c59900cdfdfc31a53f3de26ac360d3569373963785d34ea8c21fe020131a |
ssdeep |
96:n00AiEkfEASbncCkfdbGdA1iha4haU63paTEFDIt0BldAXD4kS0Aqs4viODA3ts3:n0FeywCkfd6A2TYviIld6DNS0czzzzu |
Entropy |
6.041399 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
a0ee57b452... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
a0ee57b452... |
Dropped |
cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9 |
a0ee57b452... |
Dropped |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
a0ee57b452... |
Dropped_By |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
a0ee57b452... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
Description
Process Tree:
- EXCEL.EXE 2680 (2468)
EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\xls.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$xls.xlsx
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL
NtCreateFile, C:\Windows\system32\imageres.dll
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB27.tmp
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Users\user\AppData\Local\Temp\error026800_01.xml
File activity:
write, C:\Users\user\AppData\Local\Temp\~$xls.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB27.tmp
write, C:\Users\user\AppData\Local\Temp\error026800_01.xml
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsw~+:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1235BDE1235BDE:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235521
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235522
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery123637F123637F:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes123637F:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00B\x007\x005\x00F\x00-\x007\x00F\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery12364511236451:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelPlace MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelSecurityTrusted DocumentsLastPurgeTime: 23829016
Duplicate files:
xls.xlsx
~Excel.xlsx
~xls.xlsx
C:\Users\user\AppData\Local\Temp\~$~xls.xlsx
cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9
Details
Name |
error026800_01.xml |
Size |
688 bytes |
Type |
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators |
MD5 |
edd1edc9b4bf0ce0248a2b16128b20f2 |
SHA1 |
5aa1bf61b29c55b2d630dae6d1ff9298f342fa9d |
SHA256 |
cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9 |
SHA512 |
c2bb6c70a1120ca65e29c05dd1d8e889750cc3fbae4fd433160d62826f71e7ded113f307d9591140b106d29bd40003a0f74c236d3d812bf23a970321ead2501d |
ssdeep |
12:TMHdtz6fxVrd5lfeJ4i+KgyPCLGTmylMF6l38Z5PB2B2Blb:2dtz6fxpd5VsTNCqsnB2B2Blb |
Entropy |
4.923656 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
96 |
285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81 |
96 |
53a4546d066fce5aa5bdc44694f353ca8761cd8451f33c0ef24c6106ea382dcb |
96 |
ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb |
96 |
f57e76cfc2e9dd4e8d9b1c504541d8848fae8fe44d026647b135ea9cff14a6e4 |
Relationships
cfedd2b1c5... |
Dropped_By |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
Description
Process Tree:
- cmd.exe 2680 (2468)
- - cmd.exe 2612 (2680)
cmd.exe (2612) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858
Tags
CVE-2012-0158trojan
Details
Name |
Economic Action Plan 2015 and AECL funding.xlsx |
Name |
Economic-Action-Plan-2015-and-AECL-funding.xlsx |
Size |
55622 bytes |
Type |
Zip archive data, at least v1.0 to extract |
MD5 |
333aadb2cb323c1822976e9c6be9e32c |
SHA1 |
d402cbcfc0074c857ff05bdae5495227e26ef297 |
SHA256 |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
SHA512 |
aba8899a9ebe1b021ffb016227045b1546ad336f6deb3ab5740cb41627364f9dc01a32349b09b31e28d0e21b0b7ad054ef501511e51004284958529e1a3a9564 |
ssdeep |
1536:HFUdGJcG2bqa+OAF8G/tXEx9Rb9MfonzNPjwPf+13rh:6GJx2QqGybofczljhbh |
Entropy |
7.941998 |
Antivirus
McAfee |
Exploit-Shellcode.b |
NANOAV |
Exploit.ComObj.CVE-2012-0158.hzuf |
TrendMicro |
TROJ_CV.BC8636A1 |
TrendMicro House Call |
TROJ_CV.BC8636A1 |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
96387d3759... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
96387d3759... |
Dropped |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
96387d3759... |
Dropped_By |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
96387d3759... |
Dropped |
dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060 |
Description
Process Tree:
- EXCEL.EXE 3660 (2476)
EXCEL.EXE (3660) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Economic-Action-Plan-2015-and-AECL-funding.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Economic-Action-Plan-2015-and-AECL-funding.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4D72E9A.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFDBA8A9B9701F1ED3.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
File activity:
write, C:\Users\user\AppData\Local\Temp\~$Economic-Action-Plan-2015-and-AECL-funding.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4D72E9A.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsw\x7f-:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3885E1A3885E:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x004\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057
Duplicate file:
Economic-Action-Plan-2015-and-AECL-funding.xlsx
dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060
Details
Name |
MSComctlLib.exd |
Size |
168732 bytes |
Type |
data |
MD5 |
9388d75b01fe8b6d35134d24c02a1f3e |
SHA1 |
f8612f34878312343bc2e3b6cd3475d87d1bb921 |
SHA256 |
dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060 |
SHA512 |
928caf7f53318d68f5de29599f00610da4b65661c676f96987b0407c858bd0aa2d5d4313b98505e6cb6d96e6617bd8fa5a12e6f9ab12f8bb89141848baa0c0a6 |
ssdeep |
1536:Ep8O8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EVBoZuE/5xWgNmOnG8Gmn |
Entropy |
4.759769 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
99 |
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce |
99 |
1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98 |
99 |
206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305 |
99 |
24cf08a72fbae51534df73ca8e150ad2db3548950dcd0d415da16ffa4747b7a4 |
99 |
d33f43fdf07c12f7c761f67b4928b0fc52baf0c065f87fc773422274d4ba00f2 |
99 |
fdc0e5e2709511f7085f80f6558ae0947c1b04dc920f9b7d1b41f2b944b45bee |
Relationships
dd8a2661a0... |
Dropped_By |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
Description
Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)
cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a
Tags
CVE-2012-0158droppertrojan
Details
Name |
Electronic Tickets.xlsx |
Name |
Electronic-Tickets.xlsx |
Size |
41047 bytes |
Type |
Zip archive data, at least v1.0 to extract |
MD5 |
fd14a2e69f8fd212db228d946689242f |
SHA1 |
0ca32a7bd47a8dea2ea0c4395f1855b797af7bfe |
SHA256 |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
SHA512 |
3224c8d65b6cb8bc1c1b4e2fcb6e9c1f4357b6a5f1cac3daa1c325690c3729eb040e6cac73689757530923fcb2050626e78d638627ad5c6f532488ece861cb58 |
ssdeep |
768:NILBezDz84OLhQxFVcbS7usGASmp7rgJyV8CG2dM8snriF/7rQJlX:NIIz84OtQnVcO7usGA/7eyCp2dunux7+ |
Entropy |
7.905476 |
Antivirus
McAfee |
Exploit-Shellcode.b |
NANOAV |
Exploit.ComObj.CVE-2012-0158.hzuf |
Symantec |
Trojan.Mdropper |
TrendMicro |
TROJ_CV.BC8636A1 |
TrendMicro House Call |
TROJ_CV.BC8636A1 |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
4425fb588a... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
4425fb588a... |
Dropped |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
4425fb588a... |
Dropped |
a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a |
4425fb588a... |
Dropped |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
4425fb588a... |
Dropped |
a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29 |
4425fb588a... |
Dropped |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
4425fb588a... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
4425fb588a... |
Dropped |
ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb |
4425fb588a... |
Connected_To |
sharedisplay.crabdance.com |
Description
Process Tree:
- EXCEL.EXE 2680 (2468)
- - cmd.exe 100 (2680)
- - - Outlook.exe 1156 (100)
- - cmd.exe 2580 (2680)
- - - EXCEL.EXE 1276 (2580)
EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB263.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Electronic-Tickets.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Electronic-Tickets.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DADA823.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF49E9F5ED09064C50.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\~Excel.xlsx
EXCEL.EXE (1276) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRBAE0.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\AppData\Local\Temp\~Excel.xlsx
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$~Excel.xlsx
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL
NtCreateFile, C:\Windows\system32\imageres.dll
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoCBB3.tmp
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\AppData\Local\Temp\error012760_01.xml
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
cmd.exe (2580) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\cmd.exe
NtCreateFile, C:\Windows\INF\setupapi.app.log
NtCreateFile, C:\Windows\AppPatch\pcamain.sdb
Outlook.exe (1156) API behavior:
getaddrinfo, user-PC
getaddrinfo, sharedisplay.crabdance.com
NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\regsvr.exe
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url
NtCreateFile, C:\Users\user\AppData\Local\Tempaspnet_perf.ini
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
NtCreateFile, Nsi
NtCreateFile, C:\Windows\system32\en-US\urlmon.dll.mui
File activity:
write, C:\Users\user\AppData\Local\Temp\~$Electronic-Tickets.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DADA823.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
write, C:\Users\user\AppData\Local\Temp\Outlook.exe
execute, cmd /c C:\Users\user\AppData\Local\Temp\Outlook.exe
write, C:\Users\user\AppData\Local\Temp\~Excel.xlsx
execute, cmd /c C:\Users\user\AppData\Local\Temp\~Excel.xlsx
execute, C:\Users\user\AppData\Local\Temp\Outlook.exe
write, C:\Users\user\AppData\Local\Temp\regsvr.exe
write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url
execute, C:\Users\user\AppData\Local\Temp\~Excel.xlsx
execute, "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
write, C:\Users\user\AppData\Local\Temp\~$~Excel.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoCBB3.tmp
write, C:\Users\user\AppData\Local\Temp\error012760_01.xml
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsm`b:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA1DD4DA1DD4:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x005\x004\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521
write, Outlook: C:\Users\user\AppData\Local\Temp\Outlook.exe
write, HKEY_CURRENT_USER\Software\MicrosoftServerID: 14295685
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesUNCAsIntranet: 0
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesAutoDetect: 1
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235534
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsj9c:
write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA2C94DA2C94:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235535
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235570
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235521
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184235522
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA35E3DA35E3:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_ClassesDA35E3:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryDA371ADA371A:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000\Software\Microsoft\Windows NT\CurrentVersionMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes538F6C892AD540068154C6670774E980:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000LastPurgeTime: 23829032
Duplicate file:
Electronic-Tickets.xlsx
a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a
Details
Name |
FireFox.url |
Size |
67 bytes |
Type |
MS Windows 95 Internet shortcut, ASCII text, with CRLF line terminators |
MD5 |
1af898d9128528b558b9dc69e5fff4a3 |
SHA1 |
16d10d145f6fe1c637516d92c3e986130de56844 |
SHA256 |
a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a |
SHA512 |
db8f1a028482bc0989494622cde218d3d30eab201a8568eba731dc4bb2344f1bcf3227eefd8ef822ab86fc6e98f7bb8b85607671d83d504d130db634503db48c |
ssdeep |
3:HRAbABGQ4mmRDcpkVkE2J5xAIi1:HRYF1mIDOk/23fo |
Entropy |
4.558096 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
a57a8693a2... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
a57a8693a2... |
Dropped_By |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
Description
Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)
cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
Duplicate file:
FireFox.url
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b
Tags
backdoordownloadertrojan
Details
Name |
Outlook.exe |
Name |
regsvr.exe |
Size |
16384 bytes |
Type |
PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 |
e92f629b59d5560be0938d91b10cbf6b |
SHA1 |
99770f3293e9bc1d98f18e05f3706cdf0436a029 |
SHA256 |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
SHA512 |
efc1b3ebeb330fd81b5c9274f9442eb386952145ebabcad59cc02af80e20b9fc903c6b0c92c3c322d061260d1be65278447e492f3c5119c5aa7b0b5c0e1b98b8 |
ssdeep |
384:pIExYslVXYKLa8PwnAhP6T2fLcvbT/z2S+v5C:pVYhjAZCS4vbT/SS+v5 |
Entropy |
7.584727 |
Antivirus
Ahnlab |
Trojan/Win32.Agent |
Avira |
TR/Dldr.Agent.16384.79 |
BitDefender |
Gen:Trojan.Heur.bmGfXzh!@hi |
ESET |
a variant of Win32/TrojanDownloader.Sarhust.F trojan |
Emsisoft |
Gen:Trojan.Heur.bmGfXzh!@hi (B) |
Ikarus |
Trojan-Downloader.Win32.Sarhust |
NANOAV |
Trojan.Win32.Sarhust.dqfszc |
Symantec |
Backdoor.Darkmoon!g11 |
TrendMicro |
BKDR_DARKMOON.CX |
TrendMicro House Call |
BKDR_DARKMOON.CX |
VirusBlokAda |
BScope.TrojanDownloader.Sarhust |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2014-11-20 21:54:59-05:00 |
Import Hash |
bf924fd174676b993d0b52ce64981e79 |
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
93df4c3353d017a4c5ae4f02bc7b3be5 |
header |
1024 |
2.192257 |
d41d8cd98f00b204e9800998ecf8427e |
.txt |
0 |
0.000000 |
39a44749e7dc3e3e3680ca3e6347e73f |
.rdata |
14848 |
7.841829 |
ed3ca45c281e057927ac5d9f5efe2f04 |
.data |
512 |
2.602482 |
Packers/Compilers/Cryptors
UPX -> www.upx.sourceforge.net |
Relationships
b4a2f1fd5a... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
b4a2f1fd5a... |
Dropped |
a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a |
b4a2f1fd5a... |
Dropped |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
b4a2f1fd5a... |
Dropped_By |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
Description
Process Tree:
- Outlook.exe 3660 (2476)
Outlook.exe (3660) API behavior:
getaddrinfo, user-PC
getaddrinfo, sharedisplay.crabdance.com
NtCreateFile, C:\Users\user\AppData\Local\Temp\Outlook.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\regsvr.exe
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url
NtCreateFile, C:\Users\user\AppData\Local\Tempaspnet_perf.ini
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
NtCreateFile, Nsi
NtCreateFile, C:\Windows\system32\en-US\urlmon.dll.mui
File activity:
write, C:\Users\user\AppData\Local\Temp\regsvr.exe
write, C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FireFox.url
Registry activity:
write, HKEY_CURRENT_USER\Software\MicrosoftServerID: 35894213
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
Duplicate file:
regsvr.exe
a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29
Details
Name |
MSComctlLib.exd |
Size |
168732 bytes |
Type |
data |
MD5 |
aa81574288e16eca2ba5cd6ce883e187 |
SHA1 |
2eddfd6ceeb692d8fb108c3a68973ea81c40d3cb |
SHA256 |
a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29 |
SHA512 |
121dc54b75e3fc58f11637e124394b55761dfd0dfcb701fd7c3434ba84093fe22e7f91073f799baa3dc9e844da288640e27df7df8dea7964a02ad457f2bfb067 |
ssdeep |
1536:Ep8D8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EoBoZuE/5xWgNmOnG8Gmn |
Entropy |
4.759764 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
99 |
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce |
99 |
1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98 |
99 |
206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305 |
99 |
2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 |
99 |
24cf08a72fbae51534df73ca8e150ad2db3548950dcd0d415da16ffa4747b7a4 |
99 |
2a5edeb74169258b17b39bd3c7cb33948e7b4f7fb507ff244662cdc3b7724d77 |
99 |
2e325bfb75e71651bc459566665700811240e0fd7098cc5b16fa8ca5d2236f62 |
Relationships
a8a277c10d... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
Description
Process Tree:
- cmd.exe 2680 (2468)
- - cmd.exe 2612 (2680)
cmd.exe (2612) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb
Details
Name |
error012760_01.xml |
Size |
691 bytes |
Type |
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators |
MD5 |
08d54cd22dbf103b0a90f165ed1b77db |
SHA1 |
a5340db9a7df79a8cd31aba5dced7a6df78cbb4d |
SHA256 |
ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb |
SHA512 |
edbcef407ef2e05d837c570f938b1a012b0201e4fb27c2a3d4cff23f2ae10d68780883a63675fb6e8f53852d3a7fb5379d3e748d44516f0522c3dc552797bd7d |
ssdeep |
12:TMHdtz6fxVBd5lfeJoti+KgyPCLGTmylMF6l38Z5PB2B2Blb:2dtz6fxLd5VsoGNCqsnB2B2Blb |
Entropy |
4.941871 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
97 |
285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81 |
99 |
53a4546d066fce5aa5bdc44694f353ca8761cd8451f33c0ef24c6106ea382dcb |
96 |
cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9 |
94 |
f57e76cfc2e9dd4e8d9b1c504541d8848fae8fe44d026647b135ea9cff14a6e4 |
Relationships
ce7cee02be... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
Description
Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)
cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a
Tags
CVE-2012-0158
Details
Name |
Health Register Form.xlsx |
Name |
Health-Register-Form.xlsx |
Size |
47331 bytes |
Type |
Zip archive data, at least v1.0 to extract |
MD5 |
f0636dd3057095069a7fb2f7620790b0 |
SHA1 |
79746748ba38522f164346dac1789eff9e1af0df |
SHA256 |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
SHA512 |
362b02bea79eeb2bb59def545d22c8bac9fcd24c210bc963ae9af2d6d801cf709b642f726d403dc479d3ea2c372a649e2464a6e4277538651d3414d0d0b5069f |
ssdeep |
768:SobQS+DDDIJFPZD+3yHpb5rTC6H5pUdqrMHV96cptUr0fvGFD3rAJ+dECYkiT:SBsJFPZ8YM6ZmTHbLU4f+13rvpE |
Entropy |
7.925009 |
Antivirus
Ikarus |
Exploit.CVE-2012-0158.Gen2 |
McAfee |
Exploit-Shellcode.b |
NANOAV |
Exploit.ComObj.CVE-2012-0158.hzuf |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
a261962d1f... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
a261962d1f... |
Dropped |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
a261962d1f... |
Dropped_By |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
a261962d1f... |
Dropped |
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce |
a261962d1f... |
Dropped |
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c |
Description
Process Tree:
- EXCEL.EXE 364 (2472)
- - cmd.exe 3060 (364)
- - - SqlServer.exe 1272 (3060)
- - cmd.exe 748 (364)
EXCEL.EXE (364) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Health-Register-Form.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL
NtCreateFile, C:\Windows\system32\imageres.dll
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB77.tmp
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EAC1637.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF8DC69AA1B12AE2DF.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx
SqlServer.exe (1272) API behavior:
getaddrinfo, user-PC
NtCreateFile, C:\Users\user\AppData\Local\Temp\logs\
NtCreateFile, C:\Users\user\AppData\Local\Temp\SqlServer.exe
NtCreateFile, Nsi
NtCreateFile, C:\DEVICE\NETBT_TCPIP_{EE3609C4-8FD2-4425-A052-503E93DD9F04}
File activity:
write, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBB77.tmp
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EAC1637.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
write, C:\Users\user\AppData\Local\Temp\SqlServer.exe
execute, cmd /c C:\Users\user\AppData\Local\Temp\SqlServer.exe
write, C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx
execute, cmd /c C:\Users\user\AppData\Local\Temp\Health Register Form.xlsx
execute, C:\Users\user\AppData\Local\Temp\SqlServer.exe
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsws1:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3885E1A3885E:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301057
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\UsageProductNonBootFilesIntl_1033: 1184301058
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1A3901D1A3901D:
write, HKEY_USERS\S-1-5-21-660000810-1162586166-2153334598-1000_Classes1A3901D:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00B\x007\x005\x00F\x00-\x009\x004\x00E\x000\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057
write, SqlServer: C:\Users\user\AppData\Local\Temp\SqlServer.exe
Duplicate file:
Health-Register-Form.xlsx
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce
Details
Name |
MSComctlLib.exd |
Size |
168732 bytes |
Type |
data |
MD5 |
2652869c4eba535b07b7dace41a28cd5 |
SHA1 |
98054054f8bcf1b2a8cf38bf8ee87daa80b80eee |
SHA256 |
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce |
SHA512 |
5f4ed5a56faf3a70b6701a7a54c303c014e703200ef4921991e7d924799c60a14f61672a4cb6e7ea7ae78c2715dea3bef26b5585f14cf68c38ed49c311c34e87 |
ssdeep |
1536:Ep8E8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EzBoZuE/5xWgNmOnG8Gmn |
Entropy |
4.759740 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
99 |
1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98 |
100 |
206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305 |
99 |
2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 |
99 |
24cf08a72fbae51534df73ca8e150ad2db3548950dcd0d415da16ffa4747b7a4 |
99 |
2e325bfb75e71651bc459566665700811240e0fd7098cc5b16fa8ca5d2236f62 |
99 |
fdc0e5e2709511f7085f80f6558ae0947c1b04dc920f9b7d1b41f2b944b45bee |
Relationships
1e22565e88... |
Dropped_By |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
Description
Process Tree:
- cmd.exe 3660 (2476)
- - cmd.exe 2708 (3660)
cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c
Details
Name |
Health Register Form.xlsx |
Name |
Health-Register-Form.xlsx |
Size |
12846 bytes |
Type |
Zip archive data, at least v2.0 to extract |
MD5 |
abcf8848ad366aaedd7078c5e3d433bc |
SHA1 |
e9584415cbfd1de4daa1e7dc29f4913f14846240 |
SHA256 |
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c |
SHA512 |
056bf778fe88a251c108bea68ffc24927a829664faf4dea75de1a89f67f13e6b5c8cc419712259e379634938338901f75aea7316ef7de7ec84b0abf66d1b6a2f |
ssdeep |
192:g5rgxo+7TF+jxy5MIstHPDRCybKI0iubkULcTivX2DEHLGlwMw:g5co4TSxwMI0DRPtPLTKXA0GlwMw |
Entropy |
7.872267 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
4b6576b854... |
Dropped_By |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
4b6576b854... |
Dropped |
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c |
4b6576b854... |
Dropped_By |
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c |
Description
Process Tree:
- EXCEL.EXE 3660 (2476)
EXCEL.EXE (3660) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB259.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Health-Register-Form.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.BUD
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\StdNames.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNoteNames.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNoteFilter.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNote.ini
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
File activity:
write, C:\Users\user\AppData\Local\Temp\~$Health-Register-Form.xlsx
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsy#;:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1110C4A1110C4A:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235570
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x009\x00D\x00B\x007\x001\x003\x00A\x000\x00-\x00F\x002\x00E\x008\x00-\x004\x00A\x002\x00C\x00-\x00A\x001\x00C\x002\x00-\x00F\x004\x003\x008\x00D\x00C\x00E\x00C\x002\x007\x00F\x007\x00}\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery1110D631110D63:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelPlace MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelFile MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing538F6C892AD540068154C6670774E980:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelSecurityTrusted DocumentsLastPurgeTime: 23829052
Duplicate file:
Health-Register-Form.xlsx
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09
Tags
CVE-2012-0158
Details
Name |
Meeting Schedule (8 ~ 19 Dec 2014).xlsx |
Name |
Meeting-Schedule-8-19-Dec-2014.xlsx |
Size |
54270 bytes |
Type |
Zip archive data, at least v1.0 to extract |
MD5 |
b966130bb3c494c66aae7333e7022ef3 |
SHA1 |
d43df8f45a145c900cedc370219b2a0cb8711a6f |
SHA256 |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
SHA512 |
9a69b42352eaa1fcb94d108c4bb54cb54a45946cb3f235da4e89424b0bff66c7e1126cc77eec9f71af9b9451e9e273bc870ac72d6cf4ddc483f7b86b24c8d0ed |
ssdeep |
768:3CtweOY48GDFWX2ZRz5k8ftEp22hgKvxVVfywPbvcGvMvmkJhFyariJCVI:3C2YjGDHnEpbNvxHyCblvMOkfgarV6 |
Entropy |
7.938566 |
Antivirus
McAfee |
Exploit-Shellcode.b |
NANOAV |
Exploit.ComObj.CVE-2012-0158.hzuf |
TrendMicro |
TROJ_CV.BC8636A1 |
TrendMicro House Call |
TROJ_CV.BC8636A1 |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
7034f53d22... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
7034f53d22... |
Dropped |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
7034f53d22... |
Dropped_By |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
7034f53d22... |
Dropped |
b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c |
Description
Process Tree:
- EXCEL.EXE 2680 (2468)
EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Meeting-Schedule-8-19-Dec-2014.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Meeting-Schedule-8-19-Dec-2014.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE6786AD.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF8957F815FB0DA594.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
File activity:
write, C:\Users\user\AppData\Local\Temp\~$Meeting-Schedule-8-19-Dec-2014.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE6786AD.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems!(::
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery21165682116568:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301057
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x008\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184301058
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184301069
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184301105
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184301057
Duplicate file:
Meeting-Schedule-8-19-Dec-2014.xlsx
b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c
Details
Name |
MSComctlLib.exd |
Size |
168732 bytes |
Type |
data |
MD5 |
0f5f292d8ca4f233eb342f791f176b84 |
SHA1 |
1009a088a6119e1edf079dc725dea1170cc14621 |
SHA256 |
b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c |
SHA512 |
eee6ad53c9ab7d2e59dedb3b8b99c1e552f059670e181f9c2b131dcfa76823461663422dace48ab3b7256b2127ab13ed7d212c749c2548e284d1e86a2121e593 |
ssdeep |
1536:Ep8K8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:EZBoZuE/5xWgNmOnG8Gmn |
Entropy |
4.759758 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
99 |
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce |
99 |
1ee54e3db1cfbdecd4b540185fe481708b9b2e167920cd2bed2d1a6a176d5d98 |
99 |
206ce81653e4f5953153a66c33bd1ad8e2cce821bc5e06e95008c16acbfa4305 |
99 |
2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 |
99 |
24cf08a72fbae51534df73ca8e150ad2db3548950dcd0d415da16ffa4747b7a4 |
99 |
2e325bfb75e71651bc459566665700811240e0fd7098cc5b16fa8ca5d2236f62 |
Relationships
b5f4e9a4de... |
Dropped_By |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
Description
Process Tree:
- cmd.exe 3660 (3768)
- - cmd.exe 2708 (3660)
cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801
Tags
CVE-2012-0158
Details
Name |
Tel list for HBS.xlsx |
Name |
Tel-list-for-HBS.xlsx |
Size |
40058 bytes |
Type |
Zip archive data, at least v1.0 to extract |
MD5 |
0929a53e3ed6f5890fedddbf08261aed |
SHA1 |
ad9758116e54ecd596a24563f13bf57c254d706b |
SHA256 |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
SHA512 |
556637c4f4398af8a09930094f3a3fa085159982b45a0fadf38ddb31b8b0e537ac32a12d194e98e151f1561da1b1d026a532927fc518e76da1f186d976a683b3 |
ssdeep |
768:6tH5UGxJBiVN0QF/m8EENsLffrd+au2ePAyA1FwnXtLP6FnXrAJOR:6V5jZUNFBWq63luJPAyemXtLStXrrR |
Entropy |
7.902359 |
Antivirus
McAfee |
Exploit-Shellcode.b |
NANOAV |
Exploit.ComObj.CVE-2012-0158.hzuf |
TrendMicro |
TROJ_CV.BC8636A1 |
TrendMicro House Call |
TROJ_CV.BC8636A1 |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
ea28769e94... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
ea28769e94... |
Dropped |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
ea28769e94... |
Dropped_By |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
ea28769e94... |
Dropped |
2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 |
Description
Process Tree:
- EXCEL.EXE 2680 (2468)
EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB277.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\Tel-list-for-HBS.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$Tel-list-for-HBS.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD231BDC.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF82986D6839BE82B8.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
File activity:
write, C:\Users\user\AppData\Local\Temp\~$Tel-list-for-HBS.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD231BDC.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems!&+:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery2302E82302E8:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x007\x001\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521
Duplicate file:
Tel-list-for-HBS.xlsx
2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87
Details
Name |
MSComctlLib.exd |
Size |
168732 bytes |
Type |
data |
MD5 |
6e81bf814bca598c1fcc7f968601241e |
SHA1 |
fc36a4502eb5e9a9186844c79beb26e804ed70dc |
SHA256 |
2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 |
SHA512 |
f4297bee11f642c9de0acb4d9f43a4ea03e97a6d9592981b35d84ff0b98050ff6c163a41d4244ae4e5a5eb5086fd278ed1219e36bf0b7bcb2e845e1774ff798e |
ssdeep |
1536:Ep8M8kn+4Zy4fyujoe5dRM/RVJxWgmxumOcKG2K+bdItwVGljkr1Jrktt4xOQRln:ErBoZuE/5xWgNmOnG8Gmn |
Entropy |
4.759762 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
99 |
2a5edeb74169258b17b39bd3c7cb33948e7b4f7fb507ff244662cdc3b7724d77 |
99 |
2e325bfb75e71651bc459566665700811240e0fd7098cc5b16fa8ca5d2236f62 |
99 |
37c59ad54a86c673c5f2420a6c617c7289b2ba66cdc69a94a8f630edc6c5576c |
99 |
7e57e5cf63b6715d0070a10ed86cb73ecc2e23b49a152b0485a3fd31e9136129 |
Relationships
2491fa4ff5... |
Dropped_By |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
Description
Process Tree:
- cmd.exe 3660 (3768)
- - cmd.exe 2708 (3660)
cmd.exe (2708) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll
File activity:
execute, cmd.exe
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4
Tags
CVE-2012-0158trojan
Details
Name |
UPDATED DLT as of 31 OCTOBER 2014(final).xlsx |
Name |
UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx |
Size |
48045 bytes |
Type |
Zip archive data, at least v1.0 to extract |
MD5 |
b86e5e2d5f623a36a3e31bbbc7ae5877 |
SHA1 |
b6f23af9ca33e929897c52bd7beb67dd8128a11f |
SHA256 |
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 |
SHA512 |
c6ef908446a74b762c26cfac083419f743fe0946a85013e0a094f583f667fd742c8edb7531d0c22e39fc7c33a61dcda55b3bb76b8974f4653e5f0787b47bd361 |
ssdeep |
768:aI82H2VYbUmJ888RzPS8kSH/ccDHW+XO9AWmNgw036g0ms/J+RvFMwrCJhJ:ar2HcYhJ8zPjkSH/cc/vWmNg5ts/J+1k |
Entropy |
7.927029 |
Antivirus
McAfee |
Exploit-Shellcode.b |
NANOAV |
Exploit.ComObj.CVE-2012-0158.hzuf |
TrendMicro |
TROJ_CV.BC8636A1 |
TrendMicro House Call |
TROJ_CV.BC8636A1 |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
632d6e5d5f... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
632d6e5d5f... |
Dropped |
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 |
632d6e5d5f... |
Dropped_By |
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 |
Description
Process Tree:
- EXCEL.EXE 2680 (2468)
EXCEL.EXE (2680) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRB26D.tmp
NtCreateFile, C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.config
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\Documents
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\581A9D3E.emf
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFA0ED67C86B701B46.TMP
NtCreateFile, C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
File activity:
write, C:\Users\user\AppData\Local\Temp\~$UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\581A9D3E.emf
write, C:\Users\user\AppData\Local\Temp\Excel8.0\MSComctlLib.exd
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemswr+:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ExcelMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecoveryA32F5EA32F5E:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235521
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x000\x002\x007\x008\x000\x005\x00F\x00-\x00F\x005\x006\x004\x00-\x004\x00B\x00D\x00B\x00-\x00A\x007\x002\x003\x00-\x006\x008\x00E\x001\x00E\x001\x009\x005\x004\x00D\x005\x002\x00}\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1184235522
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageEXCELFiles: 1184235533
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1184235569
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1184235521
Duplicate file:
UPDATED-DLT-as-of-31-OCTOBER-2014final.xlsx
sharedisplay.crabdance.com
Tags
command-and-control
Relationships
sharedisplay.crabdance.com |
Connected_From |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
Relationship Summary
d98266f962... |
Dropped |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
d98266f962... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
d98266f962... |
Dropped |
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 |
d98266f962... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
d98266f962... |
Dropped |
ae7c0faac46c93acd12c4047429a520fc722577d66265eda9a4c2da029081cb9 |
d98266f962... |
Dropped |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
d98266f962... |
Dropped |
285b07362f7e26cb31eec2b50aff42107225ebeabf767567c8fc0a82d96a8e81 |
285b07362f... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
f18029b49e... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
f18029b49e... |
Dropped |
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 |
f18029b49e... |
Dropped_By |
f18029b49e77323e2ef2f13f417552a0157b1483387a8a9b5a2f19ef0c4911a2 |
e0e3b1b331... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
e0e3b1b331... |
Dropped_By |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
e0e3b1b331... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
e0e3b1b331... |
Dropped_By |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
e0e3b1b331... |
Dropped_By |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
e0e3b1b331... |
Dropped_By |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
e0e3b1b331... |
Dropped_By |
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 |
ae7c0faac4... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
a0ee57b452... |
Dropped_By |
d98266f962f50c217a113b1c8f874810c8a22a0e449e8320f62375cd28f9b3eb |
a0ee57b452... |
Dropped |
cfedd2b1c513367e53d23c2750115354ca1ed265a076c97108ac19edf6672ce9 |
a0ee57b452... |
Dropped |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
a0ee57b452... |
Dropped_By |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
a0ee57b452... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
cfedd2b1c5... |
Dropped_By |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
96387d3759... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
96387d3759... |
Dropped |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
96387d3759... |
Dropped_By |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
96387d3759... |
Dropped |
dd8a2661a00bb0a05aecde0b005018f7ec8fe75ca61dd7c64ca499bf473a8060 |
dd8a2661a0... |
Dropped_By |
96387d37595e61db0c0bb50576063e6e8102351d63cf7685d04cdf1fcc836858 |
4425fb588a... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
4425fb588a... |
Dropped |
a0ee57b45259b13ccf63d2559d5baaafec100068c76683924b97440828a56757 |
4425fb588a... |
Dropped |
a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a |
4425fb588a... |
Dropped |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
4425fb588a... |
Dropped |
a8a277c10d5879e31e23bc3009f63043b22adb84de7f6738abecd7f2973f1c29 |
4425fb588a... |
Dropped |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
4425fb588a... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
4425fb588a... |
Dropped |
ce7cee02be825f9d8f3b598b0bb291b1c7ac31af9b2a827c4380c8aab38fedcb |
4425fb588a... |
Connected_To |
sharedisplay.crabdance.com |
a57a8693a2... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
a57a8693a2... |
Dropped_By |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
b4a2f1fd5a... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
b4a2f1fd5a... |
Dropped |
a57a8693a2034406a0616e1997b406ba708446d864be2e8527f6f9a0ad3fbb6a |
b4a2f1fd5a... |
Dropped |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
b4a2f1fd5a... |
Dropped_By |
b4a2f1fd5a4d207dbd47df345ec8844d9bc560ae14f2f0c9bfc3f0a4a487ce4b |
a8a277c10d... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
ce7cee02be... |
Dropped_By |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
a261962d1f... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
a261962d1f... |
Dropped |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
a261962d1f... |
Dropped_By |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
a261962d1f... |
Dropped |
1e22565e880924f08fe9930d843beb232c983827e995cc88a56742eb70575bce |
a261962d1f... |
Dropped |
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c |
1e22565e88... |
Dropped_By |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
4b6576b854... |
Dropped_By |
a261962d1f1b713e7f8419ffb59cdebb2375be5db59ef67bce42c29b48ac930a |
4b6576b854... |
Dropped |
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c |
4b6576b854... |
Dropped_By |
4b6576b8541bd403c59116994aa045d8f59ffc55fb9cd96e18d092e6514e871c |
7034f53d22... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
7034f53d22... |
Dropped |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
7034f53d22... |
Dropped_By |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
7034f53d22... |
Dropped |
b5f4e9a4de99a27cf3de77e11bd11cf744596dd19c1c035f3525820a41b46f7c |
b5f4e9a4de... |
Dropped_By |
7034f53d223137ca116d2995303f0ae8f91fee70f5493ffed4e0e9f9ced04a09 |
ea28769e94... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
ea28769e94... |
Dropped |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
ea28769e94... |
Dropped_By |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
ea28769e94... |
Dropped |
2491fa4ff51ad7f62bda84c9c61df0cf1cfadee5d40e32fe0835a3820f6c3b87 |
2491fa4ff5... |
Dropped_By |
ea28769e94173759c764b0850ecad8a626c01108339227306517b01f32549801 |
632d6e5d5f... |
Dropped |
e0e3b1b3318a12a580b41eaf3f761798f1c94f35f2df7b74fd82002c71e27dd2 |
632d6e5d5f... |
Dropped |
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 |
632d6e5d5f... |
Dropped_By |
632d6e5d5f1b620cc0002bd77f8eb7188e830a8309f16c357014e3480be8eff4 |
sharedisplay.crabdance.com |
Connected_From |
4425fb588aaae7107da68b7b99cbc154dfc01c204d47a3e3a96abc6bacc1460a |
Conclusion
Mitigation
Recommendations
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".
Contact Information
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or [email protected].
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.
|