Creation Time | 2017-08-21 23:03 (UTC+2) |
VM Analysis Duration Time | 00:02:14 |
Execution Successful | |
Sample Filename | UPS_Slip_307086.doc |
Command Line Parameters | |
Prescript | |
Number of Processes | 13 |
Termination Reason | Timeout |
Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 117 |
VTI Rule Type | Documents |
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. | |
The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration. | |
The overall sleep time of all monitored processes was truncated from 8 minutes to 1 minute, 20 seconds to reveal dormant functionality. |
ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
---|---|---|---|---|---|---|
#1 | 0x934 | Analysis Target | Medium | winword.exe | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" | |
#2 | 0x9dc | Child Process | Medium | svchost.exe | "C:\Windows\SysWOW64\svchost.exe" | #1 |
#4 | 0xa34 | Child Process | Medium | cmd.exe | cmd /K | #2 |
#5 | 0xa68 | Child Process | Medium | svchost.exe | C:\Windows\System32\svchost.exe | #2 |
#6 | 0xa7c | Child Process | Medium | bn649b.tmp | C:\Users\ADU0VK~1\AppData\Local\Temp\BN649B.tmp | #2 |
#7 | 0xa84 | Child Process | Medium | explorer.exe | explorer.exe | #6 |
#8 | 0x568 | Injection | Medium | explorer.exe | C:\Windows\Explorer.EXE | #7 |
#10 | 0x510 | Injection | Medium | taskhost.exe | "taskhost.exe" | #8 |
#11 | 0x55c | Injection | Medium | dwm.exe | "C:\Windows\system32\Dwm.exe" | #8 |
#12 | 0x65c | Child Process | Medium | msiexec.exe | C:\Windows\syswow64\msiexec.exe | #8 |
#13 | 0x2b4 | Injection | Medium | taskeng.exe | taskeng.exe {CFDCF914-63AE-4446-B16F-E0A62E2EE661} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:LUA[1] | #8 |
#14 | 0x9b4 | Child Process | Medium | tor.exe | "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\tor.exe" | #12 |
#15 | 0x8e8 | Child Process | Medium | certutil.exe | "C:\Users\ADU0VK~1\AppData\Local\Temp\certutil.exe" -A -n "yvesl" -t "C,C,C" -i "C:\Users\ADU0VK~1\AppData\Local\Temp\okguaxb.crt" -d "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\Mozilla\Firefox\Profiles\asmpdd98.default" | #12 |
ID | #17501 |
MD5 Hash Value | 929fb9558479a5c1c33f71a7373c3962 |
SHA1 Hash Value | fcc0f73d96e660c58dd2e2f9a433a17aabdb7c62 |
SHA256 Hash Value | ab90ed6cb461f17ce1f901097a045aba7c984898a0425767f01454689698f2e9 |
Filename | UPS_Slip_307086.doc |
File Size | 195.50 KB (200192 bytes) |
File Type | Word Document |
Has VBA Macros |
Analyzer Version | 2.2.0 |
Analyzer Build Date | 2017-08-21 12:23 |
Microsoft Office Version | 2013 |
Microsoft Word Version | 15.0.4569.1504 |
Internet Explorer Version | 8.0.7601.17514 |
Chrome Version | 59.0.3071.115 |
Firefox Version | 25.0 |
Flash Version | 10.3.183.90 |
Java Version | 7.0.710 |
VM Name | win7_64_sp1-mso2013 |
VM Architecture | x86 64-bit |
VM OS | Windows 7 |
VM Kernel Version | 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) |