2c5729e1...d7c6 | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Dropper, Downloader

2c5729e17b64cd4e905ccfeabbc913ed945e17625c35ec1d6932194aae83d7c6 (SHA256)

DOC_443353149786_10082018.pdf

PDF Document

Created at 2018-08-10 12:36:00

...

Notifications (2/2)

The overall sleep time of all monitored processes was truncated from "20 minutes, 15 seconds" to "2 minutes" to reveal dormant functionality.

The operating system was rebooted during the analysis.

Indicators

File (21)
»
Filename Hash Operations Source
C:\ - Access
C:\Users - Access
C:\Users\BMe1N39jU1 6criBQ - Access
C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe MD5: 5473299167525c8d0addb8248900606a
SHA1: fa99241ee9581f281544423881cf702375d33c23
SHA256: bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5
SSDeep: 3072:Zb7luhxIgK+DNYIiRs1T8M7Eu6KX1wke3G:Zb7luYgKKNxiRsOM7E0QW
ImpHash: e8f2df81b7f95f75c926f6d64aa71cb5 		Access, Write Created File
C:\Users\BMe1N39jU1 6criBQ\AppData\Roaming\Intel\Sign.bin - Access
C:\Users\BMe1N39jU1 6criBQ\Documents - Access
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll - Access
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config - Access
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access, Read
Registry (67)
»
Registry Key Name Operations
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\Environment Access
HKEY_CURRENT_USER\Environment\PSMODULEPATH Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_CURRENT_USER\Software\Microsoft\Command Processor Access
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Intel Helper Write
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion Read
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\First Counter Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\IsMultiInstance Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\Library Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\CategoryOptions Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\Counter Names Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\FileMappingSize Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Access
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Access
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH Read
HKEY_PERFORMANCE_DATA Access
Mutex (1)
»
Mutex Name Operations
Global\.net clr networking Access, Delete
Domain (4)
»
Domain Sources
i86h.com Function Log, PCAP
185.68.93.18 PCAP
89.223.92.202 PCAP
o5zinuqxjzk Function Log
URL (6)
»
URL Operations Sources
http://i86h.com/data2.dat GET Function Log
http://i86h.com/data3.dat GET Function Log
http://i86h.com/ OPTIONS PCAP
http://i86h.com/data1.dat POST PCAP
http://185.68.93.18/dot.php POST PCAP
http://89.223.92.202/mo.enc POST PCAP
IP (3)
»
IP Protocols Sources
217.182.53.69 HTTP, TCP, UDP Function Log, PCAP
185.68.93.18 HTTP, TCP Function Log, PCAP
89.223.92.202 HTTP, TCP Function Log, PCAP
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image