6dd9d1ae...a9d7

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Trojan, Dropper, Downloader

6dd9d1ae591aa1c238d27b7d29b4d16775e02350637efc7659a7de6b062aa9d7 (SHA256)

Documento.doc

Word Document

Created at 2018-11-24 01:38:00

Notifications (1/1)

The operating system was rebooted during the analysis.

Severity	Category	Operation	Classification
4/5	Process	Creates process	-
Creates process "C:\Windows\system32\cmd.exe". ... VTI Actions Go to function call
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". ... VTI Actions Go to function call
Creates process "C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe". ... VTI Actions Go to function call
Creates process "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe". ... VTI Actions Go to function call
4/5	File System	Known malicious file	Trojan
File "C:\Users\aETAdzjz\Desktop\Documento.doc" is a known malicious file. ... VTI Actions Go to file details
File "C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe" is a known malicious file. ... VTI Actions Go to file details
4/5	Network	Downloads data	Downloader
URL "http://lifewithdogmovie.com/0K3jRwA". ... VTI Actions Go to function call
URL "HTTP://72.48.172.106". ... VTI Actions Go to function call
URL "HTTP://201.120.89.60". ... VTI Actions Go to function call
URL "HTTP://47.32.209.86". ... VTI Actions Go to function call
3/5	PE	Executes dropped PE file	-
Executes dropped file "C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe". ... VTI Actions Go to file details
3/5	YARA	YARA match	-
Rule "Document_Contains_Execution_Commands" from ruleset "Malicious-Documents" has matched for "C:\Users\aETAdzjz\Desktop\Documento.doc" ... VTI Actions Go to YARA match
2/5	Network	Associated with known malicious/suspicious URLs	-
URL "http://lifewithdogmovie.com/0K3jRwA" is known as malicious URL. ... VTI Actions Go to function call
URL "http://lifewithdogmovie.com/0K3jRwA/" is known as malicious URL. ... VTI Actions
2/5	Network	Connects to HTTP server	-
URL "http://lifewithdogmovie.com/0K3jRwA". ... VTI Actions Go to function call
URL "72.48.172.106". ... VTI Actions Go to function call
URL "201.120.89.60". ... VTI Actions Go to function call
URL "47.32.209.86". ... VTI Actions Go to function call
2/5	PE	Drops PE file	Dropper
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe". ... VTI Actions Go to file details
2/5	VBA Macro	Executes macro on specific worksheet event	-
Executes macro automatically on target "auto" and event "open". ... VTI Actions Go to macro
1/5	Process	Creates system object	-
Creates mutex with name "PEMB08". ... VTI Actions Go to function call
Creates mutex with name "PEMBC8". ... VTI Actions Go to function call
Creates mutex with name "Global\I705BA84C". ... VTI Actions Go to function call
Creates mutex with name "Global\M705BA84C". ... VTI Actions Go to function call
1/5	Static	Contains suspicious meta data	-
Office document contains below average content data. ... VTI Actions Go to file details
1/5	VBA Macro	Contains Office macro	-
Office document contains a VBA macro. ... VTI Actions Go to file details

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (1/1)

Before

After