VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 19 |
VTI Rule Type | Default (PE, ...) |
Anti Analysis |
|
|
Try to detect debugger
|
|
|
Check via API "IsDebuggerPresent".
|
||
Dynamic API usage
|
|
|
Resolve above average number of APIs.
|
||
Device |
|
|
Write master boot record (MBR)
|
|
|
Write 512 bytes to master boot record (MBR).
|
||
OS |
|
|
Disable system tool
|
|
|
Disable startup repair by executing "C:\Windows\system32\cmd.exe /C title 9538298|bcdedit /set {default} recoveryenabled No".
|
||
Disable startup repair by executing "C:\Windows\system32\cmd.exe /C title 8997147|bcdedit /set {default} bootstatuspolicy ignoreallfailures".
|
||
File System |
|
|
Encrypt content of user files
|
|
|
Encrypt the content of multiple user files. This is an indicator for ransomware.
|
||
Handle with malicious files
|
|
|
File "c:\progra~1\common~1\wanacry6.malware.exe" is a known malicious file.
|
||
Modify operating system directory
|
|
|
Modify "c:\windows\system32\spp\store\2.0\data.dat.tmp".
|
||
Modify "c:\windows\system32\spp\store\2.0\data.dat.bak".
|
||
Modify "c:\windows\system32\spp\store\2.0\data.dat".
|
||
Create many files
|
|
|
Create above average number of files.
|
||
Kernel |
|
|
Execute code with kernel privileges
|
|
|
Execute code with kernel privileges.
|
||
Network |
|
|
Download data
|
|
|
Url "blockchain.info/tobtc?currency=USD&value=1500".
|
||
Connect to HTTP server
|
|
|
Remote address "blockchain.info/tobtc?currency=USD&value=1500".
|
||
Persistence |
|
|
Install system service
|
|
|
Install service "3123635631" by using the sc.exe utility.
|
||
Process |
|
|
Create process with hidden window
|
|
|
The process "C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE" starts with hidden window.
|
||
The process "C:\Windows\system32\cmd.exe /C title 4180649|vssadmin.exe Delete Shadows /All /Quiet" starts with hidden window.
|
||
The process "C:\Windows\system32\cmd.exe /C title 9538298|bcdedit /set {default} recoveryenabled No" starts with hidden window.
|
||
The process "C:\Windows\system32\cmd.exe /C title 8997147|bcdedit /set {default} bootstatuspolicy ignoreallfailures" starts with hidden window.
|
||
- | Browser | |
- | Hide Tracks | |
- | Information Stealing | |
- | Injection | |
- | Masquerade | |
- | PE | |
- | User | |
- | VBA Macro | |
- | YARA |