a7aae835...4d15 | VTI
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Dropper, Downloader, Spyware, Backdoor, Exploit

a7aae83573aa9a682ce9733468882e841564f41ec4aa004cb795b98fd4834d15 (SHA256)

SS BRAID PO.doc.rtf

RTF Document

Created at 2018-09-05 20:13:00

Notifications (2/2)

The maximum number of reputation URL requests (25 per analysis) was exceeded. As a result, the reputation status could not be queried for all contacted URLs. In order to get the reputation status for all contacted URLs, please increase the 'Max URL Requests' setting in the system configurations.

The overall sleep time of all monitored processes was truncated from "16 minutes, 44 seconds" to "2 minutes, 10 seconds" to reveal dormant functionality.

Severity Category Operation Classification
5/5
Anti Analysis Tries to detect virtual machine -
  • Possibly trying to detect VM via rdtsc.
5/5
Injection Writes into the memory of another running process -
  • "c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe" modifies memory of "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"
5/5
Injection Writes into the memory of a process running from a created or modified executable -
  • "c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe" modifies memory of "c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe"
5/5
Injection Modifies control flow of another process -
  • "c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe" alters context of "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"
5/5
Injection Modifies control flow of a process running from a created or modified executable -
  • "c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe" alters context of "c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe"
5/5
Network Sets up server that accepts incoming connections Backdoor
4/5
Network Downloads file Downloader
  • Downloads file from "http://rollboat.tk/new/kc.exe" to "c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe".
4/5
Process Creates process -
  • Creates process "C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe".
  • Creates process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt"".
  • Creates process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt"".
4/5
Process Reads from memory of another process -
  • "c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe" reads from "C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe".
4/5
Information Stealing Reads browser data -
4/5
File System Known malicious file Exploit
  • File "C:\Users\aETAdzjz\Desktop\SS BRAID PO.doc.rtf" is a known malicious file.
4/5
Network Downloads data Downloader
3/5
Persistence Installs system startup script or application -
  • Adds "c:\users\aetadzjz\appdata\roaming\microsoft\windows\start menu\programs\startup" to Windows startup folder.
3/5
Network Performs DNS request -
3/5
Information Stealing Reads cryptocurrency wallet locations Spyware
3/5
Anti Analysis Delays execution -
3/5
Network Checks external IP address -
  • Checks external IP by asking IP info service at "http://whatismyipaddress.com/".
3/5
Network Connects to remote host -
3/5
PE Executes dropped PE file -
  • Executes dropped file "c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\kc[1].exe".
2/5
File System Known suspicious file Trojan
  • File "c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\kc[1].exe" is a known suspicious file.
2/5
Network Associated with known malicious/suspicious URLs -
2/5
Network Connects to HTTP server -
2/5
PE Drops PE file Dropper
  • Drops file "c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\kc[1].exe".
1/5
Process Creates system object -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image