Fake UPS Shipping Doc | VTI by Score
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 117 |
| VTI Rule Type | Documents |
|
User | Bruteforce user account |
|
|
Possibly trying to bruteforce the "Guest" account.
|
|||
|
|
Injection | Write into memory of another process |
|
|
"c:\program files\microsoft office\office15\winword.exe" modifies memory of "c:\windows\syswow64\svchost.exe"
|
|||
|
"c:\windows\syswow64\svchost.exe" modifies memory of "c:\windows\syswow64\svchost.exe"
|
|||
|
"c:\users\adu0vk~1\appdata\local\temp\bn649b.tmp" modifies memory of "c:\windows\syswow64\explorer.exe"
|
|||
|
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\windows\explorer.exe"
|
|||
|
"c:\windows\explorer.exe" modifies memory of "c:\windows\system32\taskhost.exe"
|
|||
|
"c:\windows\explorer.exe" modifies memory of "c:\windows\system32\dwm.exe"
|
|||
|
"c:\windows\explorer.exe" modifies memory of "c:\windows\syswow64\msiexec.exe"
|
|||
|
"c:\windows\explorer.exe" modifies memory of "c:\windows\system32\taskeng.exe"
|
|||
|
|
Injection | Modify control flow of another process |
|
|
"c:\windows\syswow64\svchost.exe" alters context of "c:\windows\syswow64\svchost.exe"
|
|||
|
"c:\windows\syswow64\explorer.exe" creates thread in "c:\windows\explorer.exe"
|
|||
|
"c:\windows\explorer.exe" creates thread in "c:\windows\system32\taskhost.exe"
|
|||
|
"c:\windows\explorer.exe" creates thread in "c:\windows\system32\dwm.exe"
|
|||
|
"c:\windows\explorer.exe" creates thread in "c:\windows\syswow64\msiexec.exe"
|
|||
|
"c:\windows\explorer.exe" creates thread in "c:\windows\system32\taskeng.exe"
|
|||
|
|
Network | Setup server that accepts incoming connections |
|
|
TCP server listen on port "32090".
|
|||
|
TCP server listen on port "38078".
|
|||
|
TCP server listen on port "0".
|
|||
|
TCP server listen on port "9050".
|
|||
|
|
Process | Create process |
|
|
Create process "C:\Windows\SysWOW64\svchost.exe".
|
|||
|
Create process "cmd /K".
|
|||
|
Create process "C:\Windows\System32\svchost.exe".
|
|||
|
Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\BN649B.tmp".
|
|||
|
Create process "explorer.exe".
|
|||
|
Create process "C:\Windows\syswow64\msiexec.exe".
|
|||
|
Create process "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\tor.exe".
|
|||
|
Create process ""C:\Users\ADU0VK~1\AppData\Local\Temp\certutil.exe" -A -n "yvesl" -t "C,C,C" -i "C:\Users\ADU0VK~1\AppData\Local\Temp\okguaxb.crt" -d "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\Mozilla\Firefox\Profiles\asmpdd98.default"".
|
|||
|
|
Process | Read from memory of another process |
|
|
"c:\users\adu0vk~1\appdata\local\temp\bn649b.tmp" reads from "explorer.exe".
|
|||
|
|
File System | Handle with malicious files |
|
|
|
Network | Download data |
|
|
Url "api.ipify.org/".
|
|||
|
Url "butsulacoft.com/ls5/forum.php".
|
|||
|
Url "supritofuld.ru/ls5/forum.php".
|
|||
|
Url "tekstheks.nl/wp-admin/includes/1".
|
|||
|
Url "tekstheks.nl/wp-admin/includes/2".
|
|||
|
Url "tekstheks.nl/wp-admin/includes/3".
|
|||
|
Url "butsulacoft.com/mlu/forum.php".
|
|||
|
Url "fortsiretbab.com/bdl/gate.php".
|
|||
|
Url "checkip.dyndns.org/".
|
|||
|
Url "butsulacoft.com/d2/about.php".
|
|||
|
|
Browser | Read data related to saved browser credentials |
|
|
Read saved credentials for "Mozilla Firefox".
|
|||
|
Read saved credentials for "Google Chrome".
|
|||
|
Read the master key for "Mozilla Firefox".
|
|||
|
|
Network | Perform DNS request |
|
|
Resolve host name "butsulacoft.com".
|
|||
|
|
Anti Analysis | Delay execution |
|
|
One thread sleeps more than 5 minutes.
|
|||
|
|
Information Stealing | Read system data |
|
|
Readout Windows license key.
|
|||
|
Read the Windows installation date from registry.
|
|||
|
|
Network | Check external IP address |
|
|
Check external IP by asking IP info service at "api.ipify.org/".
|
|||
|
Check external IP by asking IP info service at "checkip.dyndns.org/".
|
|||
|
|
Network | Connect to remote host |
|
|
Outgoing TCP connection to host "62.109.18.138:80".
|
|||
|
Outgoing TCP connection to host "127.0.0.1:49172".
|
|||
|
Outgoing TCP connection to host "82.223.21.74:9001".
|
|||
|
Outgoing TCP connection to host "127.0.0.1:9050".
|
|||
|
|
PE | Execute dropped PE file |
|
|
Execute dropped file "c:\users\adu0vk~1\appdata\local\temp\bn649b.tmp".
|
|||
|
Execute dropped file "c:\users\adu0vk iwa5kls\appdata\roaming\tor.exe".
|
|||
|
Execute dropped file "c:\users\adu0vk~1\appdata\local\temp\certutil.exe".
|
|||
|
|
Hide Tracks | Write large data into the registry |
|
|
Hide 4416 byte in "HKEY_CURRENT_USER\Software\Microsoft\aaf4e053c\1dc1e28ae".
|
|||
|
Hide 1061 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
Hide 1445 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
Hide 1828 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
Hide 3220 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
Hide 3315 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
Hide 6682 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
Hide 2123 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Xayqzo".
|
|||
|
Hide 7244 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
Hide 7055 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
Hide 9367 byte in "HKEY_CURRENT_USER\Software\Microsoft\Seto\Yqlozyzuz".
|
|||
|
|
Network | Connect to HTTP server |
|
|
Remote address "api.ipify.org/".
|
|||
|
Remote address "butsulacoft.com/ls5/forum.php".
|
|||
|
Remote address "supritofuld.ru/ls5/forum.php".
|
|||
|
Remote address "tekstheks.nl/wp-admin/includes/1".
|
|||
|
Remote address "tekstheks.nl/wp-admin/includes/2".
|
|||
|
Remote address "tekstheks.nl/wp-admin/includes/3".
|
|||
|
Remote address "butsulacoft.com/mlu/forum.php".
|
|||
|
Remote address "fortsiretbab.com/bdl/gate.php".
|
|||
|
Remote address "checkip.dyndns.org/".
|
|||
|
Remote address "butsulacoft.com/d2/about.php".
|
|||
|
|
PE | Drop PE file |
|
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\bn649b.tmp".
|
|||
|
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\libeay32.dll".
|
|||
|
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\libevent-2-0-5.dll".
|
|||
|
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\libgcc_s_sjlj-1.dll".
|
|||
|
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\libssp-0.dll".
|
|||
|
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\ssleay32.dll".
|
|||
|
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\tor.exe".
|
|||
|
Drop file "c:\users\adu0vk iwa5kls\appdata\roaming\zlib1.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\certutil.exe".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\freebl3.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\libnspr4.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\libplc4.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\libplds4.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\msvcr100.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\nss3.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\nssdbm3.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\nssutil3.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\smime3.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\softokn3.dll".
|
|||
|
Drop file "c:\users\adu0vk~1\appdata\local\temp\sqlite3.dll".
|
|||
|
|
Process | Create system object |
|
|
Create mutex with name "Local\mtxLogMeInIgnition.IgnitionMutex".
|
|||
|
Create mutex with name "e".
|
|||
|
Create mutex with name "Global\{AE124E3B-FDD1-1422-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{85B42B0A-98E0-3F84-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Local\{85B47B09-C8E3-3F84-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{4F600524-B6CE-F550-C27E-E7A907E66EA0}".
|
|||
|
Create mutex with name "Global\{4F600524-B6CE-F550-8E7E-E7A94BE66EA0}".
|
|||
|
Create mutex with name "Global\{8E6A7E3D-CDD7-345A-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{4F600524-B6CE-F550-1A7E-E7A9DFE66EA0}".
|
|||
|
Create mutex with name "Global\{4F600524-B6CE-F550-027C-E7A9C7E46EA0}".
|
|||
|
Create mutex with name "Global\{4F600524-B6CE-F550-6679-E7A9A3E16EA0}".
|
|||
|
Create mutex with name "Global\{4F600524-B6CE-F550-5E7C-E7A99BE46EA0}".
|
|||
|
Create mutex with name "Global\{4F600524-B6CE-F550-8E7D-E7A94BE56EA0}".
|
|||
|
Create mutex with name "Global\{D773FC21-4FCB-6D43-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{86709C2F-2FC5-3C40-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{E4529D1E-2EF4-5E62-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{E4529D1D-2EF7-5E62-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{E4529D1F-2EF5-5E62-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{1F05FC9E-4F74-A535-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{6E93744F-C7A5-D4A3-65D9-FE61A0417768}".
|
|||
|
Create mutex with name "Global\{B7C3F14A-42A0-0DF3-65D9-FE61A0417768}".
|
|||
|
|
VBA Macro | Execute macro on specific worksheet event |
|
|
Execute macro on "Open Document" event.
|
|||
