VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 117 |
VTI Rule Type | Documents |
Anti Analysis |
|
|
Delay execution
|
|
|
One thread sleeps more than 5 minutes.
|
||
Browser |
|
|
Read data related to saved browser credentials
|
|
|
Read saved credentials for "Mozilla Firefox".
|
||
Read saved credentials for "Google Chrome".
|
||
Read the master key for "Mozilla Firefox".
|
||
File System |
|
|
Handle with malicious files
|
|
|
Hide Tracks |
|
|
Write large data into the registry
|
|
|
Hide 4416 byte in "HKEY_CURRENT_USER\Software\Microsoft\aaf4e053c\1dc1e28ae".
|
||
Hide 1061 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Hide 1445 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Hide 1828 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Hide 3220 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Hide 3315 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Hide 6682 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Hide 2123 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Xayqzo".
|
||
Hide 7244 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Hide 7055 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Hide 9367 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
||
Information Stealing |
|
|
Read system data
|
|
|
Readout Windows license key.
|
||
Read the Windows installation date from registry.
|
||
Injection |
|
|
Write into memory of another process
|
|
|
"c:\program files\microsoft office\office15\winword.exe" modifies memory of "c:\windows\syswow64\svchost.exe"
|
||
"c:\windows\syswow64\svchost.exe" modifies memory of "c:\windows\syswow64\svchost.exe"
|
||
"c:\users\adu0vk~1\appdata\local\temp\bn649b.tmp" modifies memory of "c:\windows\syswow64\explorer.exe"
|
||
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\windows\explorer.exe"
|
||
"c:\windows\explorer.exe" modifies memory of "c:\windows\system32\taskhost.exe"
|
||
"c:\windows\explorer.exe" modifies memory of "c:\windows\system32\dwm.exe"
|
||
"c:\windows\explorer.exe" modifies memory of "c:\windows\syswow64\msiexec.exe"
|
||
"c:\windows\explorer.exe" modifies memory of "c:\windows\system32\taskeng.exe"
|
||
Modify control flow of another process
|
|
|
"c:\windows\syswow64\svchost.exe" alters context of "c:\windows\syswow64\svchost.exe"
|
||
"c:\windows\syswow64\explorer.exe" creates thread in "c:\windows\explorer.exe"
|
||
"c:\windows\explorer.exe" creates thread in "c:\windows\system32\taskhost.exe"
|
||
"c:\windows\explorer.exe" creates thread in "c:\windows\system32\dwm.exe"
|
||
"c:\windows\explorer.exe" creates thread in "c:\windows\syswow64\msiexec.exe"
|
||
"c:\windows\explorer.exe" creates thread in "c:\windows\system32\taskeng.exe"
|
||
Network |
|
|
Setup server that accepts incoming connections
|
|
|
TCP server listen on port "32090".
|
||
TCP server listen on port "38078".
|
||
TCP server listen on port "0".
|
||
TCP server listen on port "9050".
|
||
Download data
|
|
|
Url "api.ipify.org/".
|
||
Url "butsulacoft.com/ls5/forum.php".
|
||
Url "supritofuld.ru/ls5/forum.php".
|
||
Url "tekstheks.nl/wp-admin/includes/1".
|
||
Url "tekstheks.nl/wp-admin/includes/2".
|
||
Url "tekstheks.nl/wp-admin/includes/3".
|
||
Url "butsulacoft.com/mlu/forum.php".
|
||
Url "fortsiretbab.com/bdl/gate.php".
|
||
Url "checkip.dyndns.org/".
|
||
Url "butsulacoft.com/d2/about.php".
|
||
Perform DNS request
|
|
|
Resolve host name "butsulacoft.com".
|
||
Check external IP address
|
|
|
Check external IP by asking IP info service at "api.ipify.org/".
|
||
Check external IP by asking IP info service at "checkip.dyndns.org/".
|
||
Connect to remote host
|
|
|
Outgoing TCP connection to host "62.109.18.138:80".
|
||
Outgoing TCP connection to host "127.0.0.1:49172".
|
||
Outgoing TCP connection to host "82.223.21.74:9001".
|
||
Outgoing TCP connection to host "127.0.0.1:9050".
|
||
Connect to HTTP server
|
|
|
Remote address "api.ipify.org/".
|
||
Remote address "butsulacoft.com/ls5/forum.php".
|
||
Remote address "supritofuld.ru/ls5/forum.php".
|
||
Remote address "tekstheks.nl/wp-admin/includes/1".
|
||
Remote address "tekstheks.nl/wp-admin/includes/2".
|
||
Remote address "tekstheks.nl/wp-admin/includes/3".
|
||
Remote address "butsulacoft.com/mlu/forum.php".
|
||
Remote address "fortsiretbab.com/bdl/gate.php".
|
||
Remote address "checkip.dyndns.org/".
|
||
Remote address "butsulacoft.com/d2/about.php".
|
||
PE |
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\adu0vk~1\appdata\local\temp\bn649b.tmp".
|
||
Execute dropped file "c:\users\adu0vk iwa5kls\appdata\roaming\tor.exe".
|
||
Execute dropped file "c:\users\adu0vk~1\appdata\local\temp\certutil.exe".
|
||
Drop PE file
|
|
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\bn649b.tmp".
|
||
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\libeay32.dll".
|
||
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\libevent-2-0-5.dll".
|
||
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\libgcc_s_sjlj-1.dll".
|
||
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\libssp-0.dll".
|
||
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\ssleay32.dll".
|
||
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\tor.exe".
|
||
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\zlib1.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\certutil.exe".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\freebl3.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\libnspr4.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\libplc4.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\libplds4.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\msvcr100.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\nss3.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\nssdbm3.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\nssutil3.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\smime3.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\softokn3.dll".
|
||
Drop file "c:\users\adu0vk~1\appdata\local\temp\sqlite3.dll".
|
||
Process |
|
|
Create process
|
|
|
Create process "C:\Windows\SysWOW64\svchost.exe".
|
||
Create process "cmd /K".
|
||
Create process "C:\Windows\System32\svchost.exe".
|
||
Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\BN649B.tmp".
|
||
Create process "explorer.exe".
|
||
Create process "C:\Windows\syswow64\msiexec.exe".
|
||
Create process "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\tor.exe".
|
||
Create process ""C:\Users\ADU0VK~1\AppData\Local\Temp\certutil.exe" -A -n "yvesl" -t "C,C,C" -i "C:\Users\ADU0VK~1\AppData\Local\Temp\okguaxb.crt" -d "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\Mozilla\Firefox\Profiles\asmpdd98.default"".
|
||
Read from memory of another process
|
|
|
"c:\users\adu0vk~1\appdata\local\temp\bn649b.tmp" reads from "explorer.exe".
|
||
Create system object
|
|
|
Create mutex with name "Local\mtxLogMeInIgnition.IgnitionMutex".
|
||
Create mutex with name "e".
|
||
Create mutex with name "Global\{AE124E3B-FDD1-1422-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{85B42B0A-98E0-3F84-65D9-FE61A0417768}".
|
||
Create mutex with name "Local\{85B47B09-C8E3-3F84-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{4F600524-B6CE-F550-C27E-E7A907E66EA0}".
|
||
Create mutex with name "Global\{4F600524-B6CE-F550-8E7E-E7A94BE66EA0}".
|
||
Create mutex with name "Global\{8E6A7E3D-CDD7-345A-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{4F600524-B6CE-F550-1A7E-E7A9DFE66EA0}".
|
||
Create mutex with name "Global\{4F600524-B6CE-F550-027C-E7A9C7E46EA0}".
|
||
Create mutex with name "Global\{4F600524-B6CE-F550-6679-E7A9A3E16EA0}".
|
||
Create mutex with name "Global\{4F600524-B6CE-F550-5E7C-E7A99BE46EA0}".
|
||
Create mutex with name "Global\{4F600524-B6CE-F550-8E7D-E7A94BE56EA0}".
|
||
Create mutex with name "Global\{D773FC21-4FCB-6D43-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{86709C2F-2FC5-3C40-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{E4529D1E-2EF4-5E62-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{E4529D1D-2EF7-5E62-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{E4529D1F-2EF5-5E62-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{1F05FC9E-4F74-A535-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{6E93744F-C7A5-D4A3-65D9-FE61A0417768}".
|
||
Create mutex with name "Global\{B7C3F14A-42A0-0DF3-65D9-FE61A0417768}".
|
||
User |
|
|
Bruteforce user account
|
|
|
Possibly trying to bruteforce the "Guest" account.
|
||
VBA Macro |
|
|
Execute macro on specific worksheet event
|
|
|
Execute macro on "Open Document" event.
|
||
- | Device | |
- | OS | |
- | Kernel | |
- | Masquerade | |
- | Persistence | |
- | YARA |