VMRay Analyzer Report for Sample #21058 VMRay Analyzer 2.2.0 URI kdotraky.com Resolved_To Address 101.99.75.184 Process 1 2352 excel.exe 1100 excel.exe "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\kFT6uTQW\Desktop\ c:\program files (x86)\microsoft office\office12\excel.exe Child_Of Child_Of Created Created Process 2 984 svchost.exe 452 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 3 2620 heidi.exe 2352 heidi.exe "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe" C:\Users\kFT6uTQW\Desktop\ c:\users\kft6utqw\appdata\local\temp\heidi.exe Child_Of Opened Opened Opened Process 4 2672 heidi.exe 2620 heidi.exe "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe" C:\Users\kFT6uTQW\Desktop\ c:\users\kft6utqw\appdata\local\temp\heidi.exe Wrote_To Deleted Created Moved Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Modified_Properties_Of Read_From Read_From Connected_To Connected_To Connected_To File users\kft6utqw\appdata\local\temp\heidi.exe users\kft6utqw\appdata\local\temp\heidi.exe c:\ c:\users\kft6utqw\appdata\local\temp\heidi.exe exe MD5 a6a97f17880e37067c822e14a75bb3af SHA1 1aab183abb65685af92b201a2e47ba3d9ce0856e SHA256 b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac URI http://kdotraky.com/kat/val.exe Contains WinRegistryKey Software\Borland\Locales HKEY_CURRENT_USER WinRegistryKey Software\Borland\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\Borland\Delphi\Locales HKEY_CURRENT_USER File users\kft6utqw\appdata\roaming\98e541\12eef2.hdb users\kft6utqw\appdata\roaming\98e541\12eef2.hdb c:\ c:\users\kft6utqw\appdata\roaming\98e541\12eef2.hdb hdb MD5 aced026ed487b5cbb298f9ab09e6f1c1 SHA1 1ceff0fbc90b0f2c6fab37bcde68f2a9170a7cf8 SHA256 c22bcce160e0645d030b554a30a0671bc2b2f30b1654dcd4111d871bb9c8e6bf File users\kft6utqw\appdata\roaming\98e541\12eef2.lck users\kft6utqw\appdata\roaming\98e541\12eef2.lck c:\ c:\users\kft6utqw\appdata\roaming\98e541\12eef2.lck lck File users\kft6utqw\appdata\local\google\chrome\user data\default\login data users\kft6utqw\appdata\local\google\chrome\user data\default\login data c:\ c:\users\kft6utqw\appdata\local\google\chrome\user data\default\login data File users\kft6utqw\appdata\roaming\98e541\12eef2.exe users\kft6utqw\appdata\roaming\98e541\12eef2.exe c:\ c:\users\kft6utqw\appdata\roaming\98e541\12eef2.exe exe MD5 a6a97f17880e37067c822e14a75bb3af SHA1 1aab183abb65685af92b201a2e47ba3d9ce0856e SHA256 b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac Moved_To File users\kft6utqw\appdata\local\temp\heidi.exe users\kft6utqw\appdata\local\temp\heidi.exe c:\ c:\users\kft6utqw\appdata\local\temp\heidi.exe exe Moved_From Mutex 73EE9CC98E5412EEF2B9A336 WinRegistryKey SOFTWARE\Microsoft\Cryptography HKEY_LOCAL_MACHINE MachineGuid WinRegistryKey Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox HKEY_LOCAL_MACHINE CurrentVersion WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main HKEY_LOCAL_MACHINE Install Directory WinRegistryKey SOFTWARE\ComodoGroup\IceDragon\Setup HKEY_LOCAL_MACHINE SetupPath WinRegistryKey SOFTWARE\Apple Computer, Inc.\Safari HKEY_LOCAL_MACHINE InstallDir WinRegistryKey SOFTWARE\K-Meleon HKEY_LOCAL_MACHINE CurrentVersion WinRegistryKey SOFTWARE\mozilla.org\SeaMonkey HKEY_LOCAL_MACHINE CurrentVersion WinRegistryKey SOFTWARE\Mozilla\SeaMonkey HKEY_LOCAL_MACHINE CurrentVersion WinRegistryKey SOFTWARE\Mozilla\Flock HKEY_LOCAL_MACHINE CurrentVersion WinRegistryKey ������Д�������ќ��Ћ���Я����Й���Й��я�� HKEY_CURRENT_USER DNSRecord 80 kdotraky.com DNSRecord 80 ����ÅÐÐ��������Ñ���Ð����Я����Ð����Ð���Ñ��� URI ����ÅÐÐ��������Ñ���Ð����Я����Ð����Ð���Ñ��� SocketAddress 101.99.75.184 80 TCP NetworkSocket 101.99.75.184 80 TCP Contains SocketAddress kdotraky.com 80 NetworkConnection HTTP kdotraky.com 80 URI kdotraky.com/temp/Panel/five/fre.php Contains URI None Analyzed Sample #21058 Malware Artifacts 21058 Sample-ID: #21058 Job-ID: #17184 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #21058 Submission-ID: #22043 C:\Users\kFT6uTQW\Desktop\QAS_031218.xls xls MD5 e9095deab097f17e0989cf518b0133ce SHA1 4d3e7af89f9afb8c5d4b0f7c3f865bb4dbacf327 SHA256 2dc346015c02c8c9f97e75f72cf194c8a8830c7a932ba22c502fcd3841a14e56 Opened_By Metadata of Analysis for Job-ID #17184 Timeout False x86 64-bit 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) win7_64_sp1-mso2007 True 221.291 Windows 7 This is a property collection for additional information of VMRay analysis VMRay Analyzer Network VTI rule match with VTI rule score 4/5 vmray_download_file_by_url Download file from "http://kdotraky.com/kat/val.exe" to "c:\users\kft6utqw\appdata\local\temp\heidi.exe". Download file Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe". Create process Anti Analysis VTI rule match with VTI rule score 4/5 vmray_detect_debugger_by_api Check via API "NtQueryInformationProcess". Try to detect debugger Information Stealing VTI rule match with VTI rule score 2/5 vmray_read_machine_guid Read the cryptographic machine GUID from registry. Read system data Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "73EE9CC98E5412EEF2B9A336". Create system object Browser VTI rule match with VTI rule score 3/5 vmray_read_browser_credentials Read saved credentials for "Google Chrome". Read data related to saved browser credentials Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "kdotraky.com". Perform DNS request Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "—‹‹ÅÐД›‹ž”†Ñœ’Ћš’Ð¯ž‘š“Й–‰šÐ™šÑ—". Perform DNS request