VMRay Analyzer Report
VTI Score 91 / 100 | |
| VTI Database Version | 2.2 |
| VTI Rule Match Count | 13 |
| VTI Rule Type | Default (PE, ...) |
 | Anti Analysis | |
| Illegitimate API usage | |
Internal API "CreateProcessInternalA" was used to start "explorer.exe". | ||
| Try to detect virtual machine | |
Readout system information, commonly used to detect VMs via registry. (Value "0" in key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum"). | ||
| Hide Tracks | |
| Delete file after execution | |
Delete executable "c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe". | ||
| Injection | |
| Write into memory of an other process | |
"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | ||
| Network | |
| Connect to remote host | |
Outgoing TCP connection to host "www.msn.com:80". | ||
Outgoing TCP connection to host "104.84.181.107:80". | ||
| Download data | |
Url "http://www.msn.com/". | ||
Url "http://go.microsoft.com/fwlink/?LinkId=133405". | ||
| Persistence | |
| Install system startup script or application | |
Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe" to windows startup via registry. | ||
| Process | |
| Allocate a page with write and execute permissions | |
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
| Create process with hidden window | |
The process "explorer.exe" starts with hidden window. | ||
| Read from memory of an other process | |
"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" reads from "explorer.exe". | ||
| Create system object | |
Create mutex with name "FCAA85F5B5437C4D7919D716988890AF30565E9E". | ||
| - | Browser | |
| - | Device | |
| - | File System | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | OS | |
| - | PE | |
| - | VBA Macro | |
| - | YARA | |
