a14e514d...0b34

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Dropper, Downloader

a14e514ddfc3a921c5a9e2fc9b931bc734b4927fa9d4b011ab77f9e46da50b34 (SHA256)

Order_Payroll_81154032.doc

Word Document

Created at 2019-02-06 16:40:00

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "20 seconds" to "10 seconds" to reveal dormant functionality.

Indicators

File (45)

Filename	Hash	Operations	Source
C:\	-	Access
C:\Users	-	Access
C:\Users\aETAdzjz	-	Access
C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe	MD5: a748a4e6151f6d75cf93b2f899df23df SHA1: 08f90b5474ba8e250d9b824602fe4cec6366bc48 SHA256: 2044fcca53a6dc26425147b78971bee2225f4e8ea3e096100e4edfbad1dac16d SSDeep: 6144:X11gGxJkPcgfqAAJ6ONxZ4cYjxfaQYf1QbicnRcftAhQgGNxRUc:X11goJkP/NAJEcYd7YfEc+AB ImpHash: 5a023790893b5e39d98bc45c2dbd1845	Access, Write	Created File
C:\Users\aETAdzjz\AppData\Roaming\cleanmem	-	Access
Data\	-	Access
C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe	MD5: a748a4e6151f6d75cf93b2f899df23df SHA1: 08f90b5474ba8e250d9b824602fe4cec6366bc48 SHA256: 2044fcca53a6dc26425147b78971bee2225f4e8ea3e096100e4edfbad1dac16d SSDeep: 6144:X11gGxJkPcgfqAAJ6ONxZ4cYjxfaQYf1QbicnRcftAhQgGNxRUc:X11goJkP/NAJEcYd7YfEc+AB ImpHash: 5a023790893b5e39d98bc45c2dbd1845	Access	Created File
C:\Users\aETAdzjz\Desktop	-	Access
C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1	-	Access
C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1	-	Access
C:\Windows	-	Access
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll	-	Access
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	-	Access, Read
C:\Windows\system32	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	-	Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	-	Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	-	Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	-	Access
C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\ntdll.dll	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0	-	Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1	-	Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config	-	Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1	-	Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml	-	Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml	-	Access, Read

Registry (88)

Registry Key Name	Operations
HKEY_CLASSES_ROOT\Licenses	Access
HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7	Read
HKEY_CLASSES_ROOT\TypeLib	Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	Access, Read
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7	Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64	Access, Read
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409	Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9	Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8	Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	Access, Read
HKEY_CURRENT_USER	Access
HKEY_CURRENT_USER\Environment	Access
HKEY_CURRENT_USER\Environment\PSMODULEPATH	Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor	Access
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun	Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar	Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor	Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion	Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck	Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions	Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar	Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	Access
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile	Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors	Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors	Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand	Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss	Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration	Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability	Read
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path	Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB	Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications	Write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion	Read
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	Access
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware	Write
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\StackVersion	Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType	Read
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	Access
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH	Read
HKEY_PERFORMANCE_DATA	Access
System	Access
System\PowerShell	Access
Windows PowerShell	Access
Windows PowerShell\PowerShell	Access

Mutex (2)

Mutex Name	Operations
Global\.net clr networking	Access, Delete
Global\E0B7509842610	Access

URL (1)

URL	Operations	Sources
HTTPS://185.222.202.79/sat36/YKYD69Q_W617601.2E664EE04488A02C628E0E6CA864C24A/5/spk/	GET	Function Log

IP (2)

IP	Protocols	Sources
64.44.51.87	TCP	Function Log
185.222.202.79	HTTPS, TCP	Function Log, PCAP

Export IOCs

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (1/1)

Indicators

Before

After