3692f99b...4ab2 | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Exploit, Dropper, Downloader

3692f99b76663e864b3fae22828ab01021dcc50c33f5ec041aa3b055478a4ab2 (SHA256)

receipt_FedEX_4028873.doc

Word Document

Created at 2018-12-06 22:25:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "45 seconds" to "30 seconds" to reveal dormant functionality.

Indicators

File (43)
»
Filename Hash Operations Source
C:\ - Access
C:\Users - Access
C:\Users\aETAdzjz - Access
C:\Users\aETAdzjz\AppData\Local\Temp\FAQ - Access
C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat MD5: 6281f5c42be41eaf431acc826cb8f1bf
SHA1: 75d4aa452b5c232a2f1d9e74ccd7d616d6d66171
SHA256: e2a20c742f2100307b7bc99b92cab49a3821bb1cef322284c3440a040a991de2
SSDeep: 12:ssHARPuwtosKMzr+GCrSF2q0Fiiefh7Meiw1r9KMzrl:tHgPuwa6zrfCFi9h7H9zrl
ImpHash: None 		Access, Write Created File
C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe MD5: 94df3603fba467e0fff637c55c8b6d1b
SHA1: 93f6cd1834a402f78497d2978d3a3a58ec3bfd66
SHA256: 4f9eb9ef4ef021679de344f227bc6e162f1e5bcc6950d63ee870718380c58016
SSDeep: 12288:mw4zMV6fcJUCT+ZiO852/Ico+/fT3aBtYg:P8fcJUCTjOy2eGT36tx
ImpHash: 18da4215c6f786f6bd7fecba770e2636 		Access, Write Created File
C:\Users\aETAdzjz\AppData\Roaming\WinDefrag - Access
Data\ - Access
C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe MD5: 94df3603fba467e0fff637c55c8b6d1b
SHA1: 93f6cd1834a402f78497d2978d3a3a58ec3bfd66
SHA256: 4f9eb9ef4ef021679de344f227bc6e162f1e5bcc6950d63ee870718380c58016
SSDeep: 12288:mw4zMV6fcJUCT+ZiO852/Ico+/fT3aBtYg:P8fcJUCTjOy2eGT36tx
ImpHash: 18da4215c6f786f6bd7fecba770e2636 		Access Created File
C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.tmp - Access
C:\Users\aETAdzjz\Desktop - Access
"C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat" - Access
C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 - Access
C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 - Access
C:\Windows - Access
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll - Access
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config - Access, Read
C:\Windows\system32 - Access
C:\Windows\System32\WindowsPowerShell\v1.0 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config - Access
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0 - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access, Read
Registry (132)
»
Registry Key Name Operations
HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures Access
HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 Access
HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32\ThreadingModel Read
HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID Read
HKEY_CLASSES_ROOT\Licenses Access
HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 Read
HKEY_CLASSES_ROOT\TypeLib Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 Access, Read
HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} Access
HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 Access
HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 Access
HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 Access, Read
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 Access, Read
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 Access
HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} Access
HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 Access
HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 Access
HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 Access, Read
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 Access, Read
HKEY_CLASSES_ROOT\Typelib Access
HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} Access
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\Environment Access
HKEY_CURRENT_USER\Environment\PSMODULEPATH Read
HKEY_CURRENT_USER\Environment\path Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_CURRENT_USER\Software\Microsoft\Command Processor Access
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common Access
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AlignToGrid Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackgroundProjectLoad Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CollapseWindows Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CtlsShowSelected Read, Write
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Designers Access
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Dock Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\DsnShowSelected Read, Write
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FolderView Read, Write
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\GridHeight Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\GridWidth Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\MainWindow Read, Write
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\MdiMaximized Read, Write
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\PropertiesWindow Read, Write
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ReadOnlyMode Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\SaveBeforeRun Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ShowGrid Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ShowToolTips Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Tool Read, Write
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ToolboxControls Access
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\UI Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\UpgradeVBX Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\VBE\6.0\Addins64 Access
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications Write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\PipelineMaxStackSizeMB Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion Read
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Access
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware Write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\ApplicationBase Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\StackVersion Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\StackVersion Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\path Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType Read
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Access
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH Read
HKEY_PERFORMANCE_DATA Access
System Access
System\PowerShell Access
Windows PowerShell Access
Windows PowerShell\PowerShell Access
Mutex (25)
»
Mutex Name Operations
Global\.net clr networking Access, Delete
Global\E0B7509842600 Access
gcc-shmem-tdm2-_pthread_cancelling_shmem Access, Delete
gcc-shmem-tdm2-_pthread_key_dest_shmem Access, Delete
gcc-shmem-tdm2-_pthread_key_lock_shmem Access, Delete
gcc-shmem-tdm2-_pthread_key_max_shmem Access, Delete
gcc-shmem-tdm2-_pthread_key_sch_shmem Access, Delete
gcc-shmem-tdm2-_pthread_tls_once_shmem Access, Delete
gcc-shmem-tdm2-_pthread_tls_shmem Access, Delete
gcc-shmem-tdm2-cond_locked_shmem_rwlock Access, Delete
gcc-shmem-tdm2-fc_key Access, Delete
gcc-shmem-tdm2-idListCnt_shmem Access, Delete
gcc-shmem-tdm2-idListMax_shmem Access, Delete
gcc-shmem-tdm2-idListNextId_shmem Access, Delete
gcc-shmem-tdm2-idList_shmem Access, Delete
gcc-shmem-tdm2-mtx_pthr_locked_shmem Access, Delete
gcc-shmem-tdm2-mutex_global_shmem Access, Delete
gcc-shmem-tdm2-mutex_global_static_shmem Access, Delete
gcc-shmem-tdm2-mxattr_recursive_shmem Access, Delete
gcc-shmem-tdm2-once_global_shmem Access, Delete
gcc-shmem-tdm2-once_obj_shmem Access, Delete
gcc-shmem-tdm2-pthr_root_shmem Access, Delete
gcc-shmem-tdm2-rwl_global_shmem Access, Delete
gcc-shmem-tdm2-sjlj_once Access, Delete
gcc-shmem-tdm2-use_fc_key Access, Delete
Domain (2)
»
Domain Sources
46.173.218.240 Function Log
icanhazip.com PCAP, Function Log
URL (3)
»
URL Operations Sources
http://46.173.218.240/uncle_sam.php GET Function Log
http://46.173.218.240/lisa.abc GET Function Log
HTTP://icanhazip.com/ GET Function Log
IP (5)
»
IP Protocols Sources
46.173.218.240 HTTP, TCP Function Log
147.75.40.2 HTTP, TCP, UDP Function Log, PCAP
182.253.20.66 TCP Function Log, PCAP
193.187.172.11 TCP PCAP
2.16.100.179 TCP PCAP
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image