VMRay Analyzer Report for Sample #630353 VMRay Analyzer 1.11.0 Process 2140 winword.exe 1108 winword.exe "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" C:\Windows\system32 c:\program files (x86)\microsoft office\root\office16\winword.exe Created Created Opened Opened Opened Opened Opened Opened Opened Opened Process C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe None File users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe c:\ c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe exe MD5 eeef5204913a313f64a2e06dea22b936 SHA1 74a5c8175391184a5fd7b32dfde7b9a27386aadf SHA256 927810b771a85383ab0679c559ef7544bb7666f60d84f8e180c405fda1659005 WinRegistryKey CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures HKEY_CLASSES_ROOT WinRegistryKey Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 HKEY_CLASSES_ROOT ThreadingModel WinRegistryKey Typelib HKEY_CLASSES_ROOT WinRegistryKey Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Wbem\Scripting HKEY_LOCAL_MACHINE Default Impersonation Level WinRegistryKey Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER PropertiesWindow WinRegistryKey Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER MainWindow Process 2456 convincingly.exe 2296 convincingly.exe "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe" C:\Windows\system32 c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe Created Opened Opened Opened Created Opened Process 2500 convincingly.exe 2456 convincingly.exe "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe" C:\Windows\system32 c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File windows\system32\&hdgf$w#gsrghregrw windows\system32\&hdgf$w#gsrghregrw c:\ c:\windows\system32\&hdgf$w#gsrghregrw File Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe C:\ C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe exe Process 2500 convincingly.exe 2456 convincingly.exe "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe" C:\Windows\system32 c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe Created Opened Opened Process 2512 explorer.exe 2500 explorer.exe C:\Windows\SysWOW64\explorer.exe C:\Windows\system32 c:\windows\syswow64\explorer.exe Process 2512 explorer.exe 2500 explorer.exe C:\Windows\SysWOW64\explorer.exe C:\Windows\system32 c:\windows\syswow64\explorer.exe Created Created Created Created Created Created Created Deleted Opened Opened Process 2520 cmd.exe 2512 cmd.exe cmd.exe /c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" C:\Windows\system32 c:\windows\syswow64\cmd.exe Process 2552 cmd.exe 2512 cmd.exe cmd.exe /c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" C:\Windows\system32 c:\windows\syswow64\cmd.exe Process 2732 cmd.exe 2512 cmd.exe cmd.exe /c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" C:\Windows\system32 c:\windows\syswow64\cmd.exe Process 2764 cmd.exe 2512 cmd.exe cmd.exe /c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" C:\Windows\system32 c:\windows\syswow64\cmd.exe Process C:\Windows\SysWOW64\drivers\wusa.exe None File users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe c:\ c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe exe File users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll c:\ c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll dll MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copied_To File windows\syswow64\dpx.dll windows\syswow64\dpx.dll c:\ c:\windows\syswow64\dpx.dll dll Copied_From File users\hjrd1koky ds8lujv\appdata\roaming\cabfile.cab users\hjrd1koky ds8lujv\appdata\roaming\cabfile.cab c:\ c:\users\hjrd1koky ds8lujv\appdata\roaming\cabfile.cab cab File Windows\SysWOW64\explorer.exe Windows\SysWOW64\explorer.exe C:\ C:\Windows\SysWOW64\explorer.exe exe Process 2520 cmd.exe 2512 cmd.exe cmd.exe /c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" C:\Windows\system32 c:\windows\syswow64\cmd.exe Opened Created Opened Opened Opened Opened Opened Opened Process 2544 makecab.exe 2520 makecab.exe makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" C:\Windows\system32 c:\windows\syswow64\makecab.exe File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File Windows\SysWOW64\cmd.exe Windows\SysWOW64\cmd.exe C:\ C:\Windows\SysWOW64\cmd.exe exe Process 2552 cmd.exe 2512 cmd.exe cmd.exe /c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" C:\Windows\system32 c:\windows\syswow64\cmd.exe Opened Created Opened Opened Opened Opened Opened Opened Process c:\windows\system32\wusa.exe None File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun Process 2732 cmd.exe 2512 cmd.exe cmd.exe /c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" C:\Windows\system32 c:\windows\syswow64\cmd.exe Opened Created Opened Opened Opened Opened Opened Opened Process 2756 makecab.exe 2732 makecab.exe makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" C:\Windows\system32 c:\windows\syswow64\makecab.exe File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun Process 2764 cmd.exe 2512 cmd.exe cmd.exe /c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" C:\Windows\system32 c:\windows\syswow64\cmd.exe Opened Created Opened Opened Opened Opened Opened Opened File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun Process 2940 convin~1.exe 2928 convin~1.exe C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE C:\Windows\system32 c:\users\hjrd1k~1\appdata\roaming\convin~1.exe Created Opened Opened Opened Created Opened Process 3024 convin~1.exe 2940 convin~1.exe C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE C:\Windows\system32 c:\users\hjrd1k~1\appdata\roaming\convin~1.exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File windows\system32\&hdgf$w#gsrghregrw windows\system32\&hdgf$w#gsrghregrw c:\ c:\windows\system32\&hdgf$w#gsrghregrw File Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE C:\ C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE EXE Process 3024 convin~1.exe 2940 convin~1.exe C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE C:\Windows\system32 c:\users\hjrd1k~1\appdata\roaming\convin~1.exe Created Opened Opened Process 3032 explorer.exe 3024 explorer.exe C:\Windows\SysWOW64\explorer.exe C:\Windows\system32 c:\windows\syswow64\explorer.exe Process 3032 explorer.exe 3024 explorer.exe C:\Windows\SysWOW64\explorer.exe C:\Windows\system32 c:\windows\syswow64\explorer.exe Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Process 3040 cmd.exe 3032 cmd.exe cmd.exe /c net stop MpsSvc C:\Windows\system32 c:\windows\syswow64\cmd.exe Process 3048 cmd.exe 3032 cmd.exe cmd.exe /c sc config MpsSvc start= disabled C:\Windows\system32 c:\windows\syswow64\cmd.exe Process 2100 iexplore.exe 3032 iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome C:\Windows\system32 c:\program files (x86)\internet explorer\iexplore.exe File users\hjrd1k~1\appdata\roaming\convin~1.exe users\hjrd1k~1\appdata\roaming\convin~1.exe c:\ c:\users\hjrd1k~1\appdata\roaming\convin~1.exe exe File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll WinRegistryKey Software\Microsoft\Windows HKEY_CURRENT_USER WinRegistryKey Software\Classes\http\shell\open\command HKEY_CURRENT_USER WinRegistryKey Software\Classes\http\shell\open\command HKEY_LOCAL_MACHINE File Windows\SysWOW64\ntdll.dll Windows\SysWOW64\ntdll.dll C:\ C:\Windows\SysWOW64\ntdll.dll dll Process 3040 cmd.exe 3032 cmd.exe cmd.exe /c net stop MpsSvc C:\Windows\system32 c:\windows\syswow64\cmd.exe Opened Created Opened Opened Opened Opened Opened Opened Process 2116 net.exe 3040 net.exe net stop MpsSvc C:\Windows\system32 c:\windows\syswow64\net.exe File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun Process 3048 cmd.exe 3032 cmd.exe cmd.exe /c sc config MpsSvc start= disabled C:\Windows\system32 c:\windows\syswow64\cmd.exe Opened Created Opened Opened Opened Opened Opened Opened Process 2132 sc.exe 3048 sc.exe sc config MpsSvc start= disabled C:\Windows\system32 c:\windows\syswow64\sc.exe File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File STD_OUTPUT_HANDLE Process 2132 sc.exe 3048 sc.exe sc config MpsSvc start= disabled C:\Windows\system32 c:\windows\syswow64\sc.exe Opened Opened WinService MpsSvc File STD_OUTPUT_HANDLE Process 2108 net1.exe 2116 net1.exe C:\Windows\system32\net1 stop MpsSvc C:\Windows\system32 c:\windows\syswow64\net1.exe Opened Opened Opened Opened File STD_ERROR_HANDLE File Windows\SysWOW64\net1.exe Windows\SysWOW64\net1.exe C:\ C:\Windows\SysWOW64\net1.exe exe WinService MPSSVC Process 2100 iexplore.exe 3032 iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome C:\Windows\system32 c:\program files (x86)\internet explorer\iexplore.exe Created Created Created Opened Opened Read_From Process vssadmin.exe delete shadows /all /quiet None Process bcdedit /set {default} recoveryenabled no None Process bcdedit /set {default} bootstatuspolicy ignoreallfailures None File Program Files (x86)\Internet Explorer\iexplore.exe Program Files (x86)\Internet Explorer\iexplore.exe C:\ C:\Program Files (x86)\Internet Explorer\iexplore.exe exe DNSRecord foandrenla.com URI foandrenla.com Analyzed Sample #630353 Malware Artifacts 630353 Sample-ID: #630353 Job-ID: #682187 This sample was analyzed by VMRay Analyzer 1.11.0 on a Windows 7 system 100 VTI Score based on VTI Database Version 2.2 Metadata of Sample File #630353 Submission-ID: #630353 C:\Users\hJrD1KOKY DS8lUjv\Desktop\quickbooks_expenses_report_6241186.doc doc MD5 cbb60bfa61964f0fddb792cb4e2bce2c SHA1 79b146a68010592fb40aa240bfbd8f8b45778e5a SHA256 2a6ed4487df71f0adffebeb42c6dd183a422fbf948dbf77e7f1631dcdeaae524 Opened_By VMRay Analyzer Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\SysWOW64\explorer.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" reads from "C:\Windows\SysWOW64\explorer.exe". Read from memory of an other process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "cmd.exe \c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\makecab.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "cmd.exe \c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" \extract:"C:\Windows\SysWOW64\drivers"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "c:\windows\system32\wusa.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "cmd.exe \c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\SysWOW64\drivers\wusa.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE". Create process Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" reads from "C:\Windows\SysWOW64\explorer.exe". Read from memory of an other process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "cmd.exe \c net stop MpsSvc". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "cmd.exe \c sc config MpsSvc start= disabled". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\net.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\sc.exe". Create process OS VTI rule match with VTI rule score 5/5 vmray_disable_system_service Disable "Windows Firewall Service" by ChangeServiceConfigW. Disable crucial system service Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome". Create process Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\windows\syswow64\explorer.exe" reads from ""C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome". Read from memory of an other process Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve "foandrenla.com". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "vssadmin.exe delete shadows /all /quiet". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "bcdedit /set {default} recoveryenabled no". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "bcdedit /set {default} bootstatuspolicy ignoreallfailures". Create process Injection VTI rule match with VTI rule score 5/5 vmray_modify_memory "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" modifies memory of "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 5/5 vmray_modify_memory "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" modifies memory of "c:\windows\syswow64\explorer.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 5/5 vmray_modify_memory "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" modifies memory of "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 5/5 vmray_modify_memory "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" modifies memory of "c:\windows\syswow64\explorer.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 5/5 vmray_modify_memory "c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\internet explorer\iexplore.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 5/5 vmray_modify_control_flow "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" alters context of "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" Modify control flow of an other process Injection VTI rule match with VTI rule score 5/5 vmray_modify_control_flow "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" alters context of "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" Modify control flow of an other process PE VTI rule match with VTI rule score 2/5 vmray_drop_pe_file Drop file "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe". Drop PE file PE VTI rule match with VTI rule score 2/5 vmray_drop_pe_file Drop file "c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll". Drop PE file PE VTI rule match with VTI rule score 3/5 vmray_execute_dropped_pe_file Execute dropped file "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe". Execute dropped PE file VBA Macro VTI rule match with VTI rule score 1/5 vmray_execute_macro_on_ws_event Execute macro on "Activate Workbook" event. Execute macro on specific worksheet event VBA Macro VTI rule match with VTI rule score 2/5 vmray_ability_to_read_write_file cynodon = FreeFile Ability to read/write files