VTI Score 100 / 100 | |
VTI Database Version | 2.2 |
VTI Rule Match Count | 34 |
VTI Rule Type | Documents |
Injection | ||
Write into memory of an other process | ||
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" modifies memory of "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" | ||
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | ||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" modifies memory of "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" | ||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | ||
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\internet explorer\iexplore.exe" | ||
Modify control flow of an other process | ||
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" alters context of "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" | ||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" alters context of "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" | ||
Network | ||
Perform DNS request | ||
Resolve "foandrenla.com". | ||
OS | ||
Disable crucial system service | ||
Disable "Windows Firewall Service" by ChangeServiceConfigW. | ||
PE | ||
Execute dropped PE file | ||
Execute dropped file "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe". | ||
Drop PE file | ||
Drop file "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe". | ||
Drop file "c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll". | ||
Process | ||
Create process | ||
Create process "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe". | ||
Create process "C:\Windows\SysWOW64\explorer.exe". | ||
Create process "cmd.exe \c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab"". | ||
Create process "C:\Windows\system32\makecab.exe". | ||
Create process "cmd.exe \c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" \extract:"C:\Windows\SysWOW64\drivers"". | ||
Create process "c:\windows\system32\wusa.exe". | ||
Create process "cmd.exe \c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab"". | ||
Create process "C:\Windows\SysWOW64\drivers\wusa.exe". | ||
Create process "C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE". | ||
Create process "cmd.exe \c net stop MpsSvc". | ||
Create process "cmd.exe \c sc config MpsSvc start= disabled". | ||
Create process "C:\Windows\system32\net.exe". | ||
Create process "C:\Windows\system32\sc.exe". | ||
Create process ""C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome". | ||
Create process "vssadmin.exe delete shadows /all /quiet". | ||
Create process "bcdedit /set {default} recoveryenabled no". | ||
Create process "bcdedit /set {default} bootstatuspolicy ignoreallfailures". | ||
Read from memory of an other process | ||
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" reads from "C:\Windows\SysWOW64\explorer.exe". | ||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" reads from "C:\Windows\SysWOW64\explorer.exe". | ||
"c:\windows\syswow64\explorer.exe" reads from ""C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome". | ||
VBA Macro | ||
Ability to read/write files | ||
cynodon = FreeFile | ||
Execute macro on specific worksheet event | ||
Execute macro on "Activate Workbook" event. | ||
- | Anti Analysis | |
- | Browser | |
- | Device | |
- | File System | |
- | Hide Tracks | |
- | Information Stealing | |
- | Kernel | |
- | Masquerade | |
- | Persistence | |
- | YARA |