VMRay Analyzer Report for Sample #415917
VMRay Analyzer
2.3.2
Process
1
2332
excel.exe
924
excel.exe
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
C:\Users\aETAdzjz\Desktop\
c:\program files\microsoft office\root\office16\excel.exe
Child_Of
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
2
1040
regsvr32.exe
2332
regsvr32.exe
regsvr32.exe /s /n /u /i:C:\Users\aETAdzjz\AppData\Local\Temp\12-B-366.txt scrobj.dll
C:\Users\aETAdzjz\Desktop\
c:\windows\system32\regsvr32.exe
Child_Of
Opened
Opened
Opened
Opened
Opened
Opened
Process
3
2164
powershell.exe
1040
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -File C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1
C:\Users\aETAdzjz\Desktop\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Wrote_To
Opened
Opened
Opened
Read_From
Read_From
Read_From
Read_From
Read_From
Read_From
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
WinRegistryKey
Software\Microsoft\VBA\7.1\Common
HKEY_CURRENT_USER
RequireDeclaration
CompileOnDemand
NotifyUserBeforeStateLoss
BackGroundCompile
BreakOnAllErrors
BreakOnServerErrors
WinRegistryKey
Licenses
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020813-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020813-0000-0000-C000-000000000046}\1.9
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0
HKEY_CLASSES_ROOT
WinRegistryKey
Software\Microsoft\VBA\7.1\Common
HKEY_CURRENT_USER
VbaCapability
WinRegistryKey
TypeLib
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0
HKEY_CLASSES_ROOT
WinRegistryKey
Licenses\8804558B-B773-11d1-BC3E-0000F87552E7
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
HKEY_CLASSES_ROOT
WinRegistryKey
TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64
HKEY_CLASSES_ROOT
WinRegistryKey
.dll
HKEY_CLASSES_ROOT
WinRegistryKey
dllfile
HKEY_CLASSES_ROOT
WinRegistryKey
dllfile\AutoRegister
HKEY_CLASSES_ROOT
WinRegistryKey
SOFTWARE\Microsoft\Windows Script\Features
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\COM3
HKEY_LOCAL_MACHINE
COM+Enabled
WinRegistryKey
.dll
HKEY_CLASSES_ROOT
File
conout$
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_ERROR_HANDLE
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
users\aetadzjz\appdata\local\temp\windowstemp.ps1
users\aetadzjz\appdata\local\temp\windowstemp.ps1
c:\
c:\users\aetadzjz\appdata\local\temp\windowstemp.ps1
ps1
File
conin$
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
Analyzed Sample #415917
Malware Artifacts
415917
Sample-ID: #415917
Job-ID: #563876
This sample was analyzed by VMRay Analyzer 2.3.2 on a Windows 7 system
93
VTI Score based on VTI Database Version 3.1
Metadata of Sample File #415917
Submission-ID: #697340
513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8.xls
xls
MD5
5c3f96ade0ea67eef9d25161c64e6f3e
SHA1
524f2c9f62703027b1ebbf1fc16a4a7506d6ff20
SHA256
513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8
Opened_By
Metadata of Analysis for Job-ID #563876
Timeout
YKYD69Q
win7_64_sp1-mso2016
YKYD69Q
False
x86 64-bit
True
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
0
aETAdzjz
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "regsvr32.exe /s /n /u /i:C:\Users\aETAdzjz\AppData\Local\Temp\12-B-366.txt scrobj.dll".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "powershell.exe -noexit -exec bypass -File C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process ""C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe"".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process ""C:\Users\aETAdzjz\AppData\Local\Temp\OFFICE~1.EXE" "C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe" ".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe".
Creates process
Static
VTI rule match with VTI rule score 1/5
vmray_static_analysis_parser_error
Static analyzer was unable to completely parse the analyzed file: C:\Users\aETAdzjz\Desktop\=UTF-8B2KfZhNmB2YfYp9ix2LMueGxzbQ===.xls.
Unparsable sections in file
VBA Macro
VTI rule match with VTI rule score 1/5
vmray_has_vba_macro
Office document contains a VBA macro.
Contains Office macro
VBA Macro
VTI rule match with VTI rule score 2/5
vmray_execute_macro_automatically
Executes macro automatically on target "workbook" and event "open".
Executes macro on specific worksheet event
VBA Macro
VTI rule match with VTI rule score 2/5
vmray_create_suspicious_com_object
CreateObject("WScript.Shell")
Creates suspicious COM object
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "VBA_Create_File" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\Desktop\=UTF-8B2KfZhNmB2YfYp9ix2LMueGxzbQ===.xls"
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "VBA_Execution_Commands" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\Desktop\=UTF-8B2KfZhNmB2YfYp9ix2LMueGxzbQ===.xls"
YARA match