Fake UPS Shipping Doc | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-08-21 23:03 (UTC+2) |
| VM Analysis Duration Time | 00:02:14 |
| Execution Successful |
|
| Sample Filename | UPS_Slip_307086.doc |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 13 |
| Termination Reason | Timeout |
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 117 |
| VTI Rule Type | Documents |
|
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
|
|
The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration. |
|
|
The overall sleep time of all monitored processes was truncated from 8 minutes to 1 minute, 20 seconds to reveal dormant functionality. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0x934 | Analysis Target | Medium | winword.exe | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" | |
| #2 | 0x9dc | Child Process | Medium | svchost.exe | "C:\Windows\SysWOW64\svchost.exe" | #1 |
| #4 | 0xa34 | Child Process | Medium | cmd.exe | cmd /K | #2 |
| #5 | 0xa68 | Child Process | Medium | svchost.exe | C:\Windows\System32\svchost.exe | #2 |
| #6 | 0xa7c | Child Process | Medium | bn649b.tmp | C:\Users\ADU0VK~1\AppData\Local\Temp\BN649B.tmp | #2 |
| #7 | 0xa84 | Child Process | Medium | explorer.exe | explorer.exe | #6 |
| #8 | 0x568 | Injection | Medium | explorer.exe | C:\Windows\Explorer.EXE | #7 |
| #10 | 0x510 | Injection | Medium | taskhost.exe | "taskhost.exe" | #8 |
| #11 | 0x55c | Injection | Medium | dwm.exe | "C:\Windows\system32\Dwm.exe" | #8 |
| #12 | 0x65c | Child Process | Medium | msiexec.exe | C:\Windows\syswow64\msiexec.exe | #8 |
| #13 | 0x2b4 | Injection | Medium | taskeng.exe | taskeng.exe {CFDCF914-63AE-4446-B16F-E0A62E2EE661} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:LUA[1] | #8 |
| #14 | 0x9b4 | Child Process | Medium | tor.exe | "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\tor.exe" | #12 |
| #15 | 0x8e8 | Child Process | Medium | certutil.exe | "C:\Users\ADU0VK~1\AppData\Local\Temp\certutil.exe" -A -n "yvesl" -t "C,C,C" -i "C:\Users\ADU0VK~1\AppData\Local\Temp\okguaxb.crt" -d "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\Mozilla\Firefox\Profiles\asmpdd98.default" | #12 |
| ID | #17501 |
| MD5 Hash Value | 929fb9558479a5c1c33f71a7373c3962 |
| SHA1 Hash Value | fcc0f73d96e660c58dd2e2f9a433a17aabdb7c62 |
| SHA256 Hash Value | ab90ed6cb461f17ce1f901097a045aba7c984898a0425767f01454689698f2e9 |
| Filename | UPS_Slip_307086.doc |
| File Size | 195.50 KB (200192 bytes) |
| File Type | Word Document |
| Has VBA Macros |
|
| Analyzer Version | 2.2.0 |
| Analyzer Build Date | 2017-08-21 12:23 |
| Microsoft Office Version | 2013 |
| Microsoft Word Version | 15.0.4569.1504 |
| Internet Explorer Version | 8.0.7601.17514 |
| Chrome Version | 59.0.3071.115 |
| Firefox Version | 25.0 |
| Flash Version | 10.3.183.90 |
| Java Version | 7.0.710 |
| VM Name | win7_64_sp1-mso2013 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 7 |
| VM Kernel Version | 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) |
