2c5729e1...d7c6

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Trojan, Dropper, Downloader

2c5729e17b64cd4e905ccfeabbc913ed945e17625c35ec1d6932194aae83d7c6 (SHA256)

DOC_443353149786_10082018.pdf

PDF Document

Created at 2018-08-10 12:36:00

Notifications (2/2)

The overall sleep time of all monitored processes was truncated from "20 minutes, 15 seconds" to "2 minutes" to reveal dormant functionality.

The operating system was rebooted during the analysis.

Severity	Category	Operation	Classification
4/5	Process	Creates process	-
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". ... VTI Actions Go to function call
Creates process "C:\Users\BME1N3~1\AppData\Local\Temp\cmd_.exe". ... VTI Actions Go to function call
4/5	File System	Known malicious file	Trojan
File "C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe" is a known malicious file. ... VTI Actions Go to file details Go to function call
4/5	Network	Downloads data	Downloader
URL "http://i86h.com/data2.dat". ... VTI Actions Go to function call
URL "http://i86h.com/data3.dat". ... VTI Actions Go to function call
3/5	Network	Performs DNS request	-
Resolves host name "i86h.com". ... VTI Actions Go to function call
Resolves host name "o5zInUQXjZk". ... VTI Actions Go to function call
3/5	Persistence	Installs system startup script or application	-
Adds "C:\Users\BME1N3~1\AppData\Local\Temp\cmd_.exe -a" to Windows startup via registry. ... VTI Actions Go to function call
3/5	Anti Analysis	Delays execution	-
One thread sleeps more than 5 minutes. ... VTI Actions Go to function call
3/5	PE	Executes dropped PE file	-
Executes dropped file "C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe". ... VTI Actions Go to file details Go to function call
2/5	Network	Connects to HTTP server	-
URL "i86h.com/data2.dat". ... VTI Actions Go to function call
URL "i86h.com/data3.dat". ... VTI Actions Go to function call
2/5	PE	Drops PE file	Dropper
Drops file "C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe". ... VTI Actions Go to file details Go to function call
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to function call
1/5	Static	Contains PDF JavaScript	-
PDF document contains JavaScript. ... VTI Actions Go to file details
1/5	Static	Contains embedded files	-
Document contains unknown embedded files. ... VTI Actions Go to file details

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (2/2)

Before

After