6ce1abc4...914f | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Spyware, Exploit, Downloader, Dropper

CMG 4 263 PAYMENT ADVICE.xlsx

Excel Document

Created at 2019-09-15T14:56:00

...

Remarks (2/2)

(0x200000e): The overall sleep time of all monitored processes was truncated from "30 seconds" to "20 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\CMG 4 263 PAYMENT ADVICE.xlsx Sample File Unknown
Malicious
...
»
Mime Type application/x-office-encrypted
File Size 771.99 KB
MD5 ff014dad028864b1571707f83bf65a46 Copy to Clipboard
SHA1 93a1c9b846e5aeed825a8d62c38e3a9e0958519c Copy to Clipboard
SHA256 6ce1abc4a205179447e264a05e9f3a04e2fd4009b7a59bc7054fd78c6f15914f Copy to Clipboard
SSDeep 12288:nP6jkBPIkcIan7FKIPef7a8oFu+PUyxdtGmjsHkDnN74q6n1cgPJWaLETi:nP6xF/nZeTfxnOKknV/6nugJYTi Copy to Clipboard
Local AV Matches (1)
»
Threat Name Severity
Exploit.CVE-2017-11882.Gen
Malicious
C:\Users\Public\vbc.exe Downloaded File Binary
Unknown
...
»
Also Known As C:\Users\aETAdzjz\s.exe (Downloaded File)
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\win32[1].exe (Modified File)
Parent File analysis.pcap
Mime Type application/vnd.microsoft.portable-executable
File Size 753.00 KB
MD5 83153cdead58be81d90ffb518a1c87fe Copy to Clipboard
SHA1 519dcf5eb793527b93b1af82548ed9aa8fbeb5b6 Copy to Clipboard
SHA256 270e56e60bab1c286c06f71fcf3b9b5a1b6b17d3acfb1f939d6b988400ddea7a Copy to Clipboard
SSDeep 12288:IS49pgN6PiNfCZL3Bv1X1/SI1wJyJYfVYMLvMXZG+k:LiihCV9NtALLEJz Copy to Clipboard
c:\users\aetadzjz\appdata\roaming\microsoft\windows\start menu\programs\startup\hjdytuap.exe Dropped File Binary
Unknown
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 756.00 KB
MD5 1bba1a34082378809ad44d6bd0e7a7f9 Copy to Clipboard
SHA1 ff593f332adb50d4389b0e0d4632016248c4a8cb Copy to Clipboard
SHA256 9cd4ae67b1334a6b3d7acfeac4bf052befc2fa3389c76b6d70c03661b4af3ccf Copy to Clipboard
SSDeep 12288:IS49pgN6PiNfCZL3Bv1X1/SI1wJyJYfVYMLvMXZG+k:LiihCV9NtALLEJz Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
Parser Error Remark Static engine was unable to completely parse the analyzed file
PE Information
»
Image Base 0x400000
Entry Point 0x43e3ae
Size Of Code 0x3c400
Size Of Initialized Data 0x7fe00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2019-07-31 05:12:04+00:00
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x3c3b4 0x3c400 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.84
.rsrc 0x440000 0x7fb24 0x7fc00 0x3c600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.44
.reloc 0x4c0000 0xc 0x200 0xbc200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x3e388 0x3c588 0x0
Icons (1)
»
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Points AV YARA Actions
buffer 4 0x00400000 0x00402FFF First Execution - 32-bit 0x00400000 False True
...
buffer 4 0x00410000 0x00412FFF First Execution - 32-bit 0x00410000 False True
...
buffer 8 0x00420000 0x00422FFF First Execution - 32-bit 0x00420000 False True
...
buffer 8 0x00870000 0x00872FFF First Execution - 32-bit 0x00870000 False True
...
C:\Users\aETAdzjz\AppData\Local\Temp\637041562706118000_5a486d91-5e81-407c-a6d9-16017ea3a659.db Dropped File Stream
Unknown
...
»
Also Known As C:\Users\aETAdzjz\AppData\Local\Temp\637041563908370000_d3625fbb-19c3-4284-a122-f008796776d0.db (Dropped File)
Mime Type application/octet-stream
File Size 16.00 KB
MD5 478eeafbb12c55cbec0cbeafb984fed6 Copy to Clipboard
SHA1 147bfddeb74a93227e90f058b5d075b4343a37c8 Copy to Clipboard
SHA256 9239ca0e958d9d9d846202cf7636291130782a02dcbb77eb80a71eeb5574ab82 Copy to Clipboard
SSDeep 3:Lt/hV/plfltt/lE9lllnldlHGltdl/l8/V0V6CVgnG5YRgRzW3Wq3VhjluPjqwod:5X9cvVmXy/VcRK3Xhj03tDiSgJH0cLD Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image