IQY File uses PowerShell to Download a Malicious .exe | Network
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Backdoor, Trojan, Dropper, Downloader

76917b219ad5a1ff8229a75eb23c34a9ad1ce98264257d3cca538ac59c49a15f (SHA256)

29082018_64943.iqy

Excel Document

Created at 2018-08-30 14:38:00

Notifications (1/1)

The operating system was rebooted during the analysis.

Network Overview

Hosts (2)
»
Hostname IP Address Location Protocols Reputation Status WHOIS Data
ms365box.com 31.202.128.249 Kharkiv (Ukraine) HTTP, TCP, UDP
Has Blacklisted URL
Show WHOIS
localhost 0000:0000:0000:0000:0000:0000:0000:0001, 127.0.0.1 - -
Unknown
Show WHOIS
DNS Queries (2)
»
Hostname Categories Names Source Reputation Status
ms365box.com Malware Mal/HTMLGen-A Function Log
Blacklisted
localhost - - Function Log
Unknown
URLs (4)
»
URL Categories Names Source HTTP Status Code Reputation Status
http://ms365box.com/update.2 Malware Mal/HTMLGen-A Function Log OK (200)
Blacklisted
http://ms365box.com/inv C&C C2/Generic-A Function Log -
Blacklisted
http://ms365box.com/ Malware Mal/HTMLGen-A PCAP OK (200)
Blacklisted
http://ms365box.com/update.1 Malware Mal/HTMLGen-A PCAP OK (200)
Blacklisted

Connections

ICMP (2)
»
Operation Additional Information Success Count Logfile
Send ICMP Echo source_address = 24.246.30.0, destination_address = 224.85.207.0, timeout = 4000 True 2
Fn
DNS (3)
»
Operation Additional Information Success Count Logfile
Resolve Name host = ms365box.com, address_out = 31.202.128.249 True 1
Fn
Resolve Name host = localhost False 1
Fn
Resolve Name host = localhost, address_out = 0000:0000:0000:0000:0000:0000:0000:0001, 127.0.0.1 True 1
Fn
TCP Sessions (2)
»
Information Value
Total Data Sent 10.86 KB
Total Data Received 267.00 KB
Contacted Host Count 1
Contacted Hosts 31.202.128.249
TCP Session #1
»
Information Value
Source PCAP
Stream ID 0
Remote Address 31.202.128.249
Remote Port 80
Local Address 192.168.0.21
Local Port 49158
Data Sent 0.97 KB
Data Received 0.89 KB
Time Highest Layer Additional Information Success
33.751322 s TCP Data Sent: 0.06 KB, Data Received: 0.06 KB True
33.820344 s TCP Data Sent: 0.05 KB, Data Received: 0.25 KB True
33.821565 s HTTP Data Sent: 0.20 KB, Data Received: 0.05 KB True
34.045748 s URLENCODED-FORM Data Sent: 0.49 KB, Data Received: 0.47 KB True
34.337179 s TCP Data Sent: 0.05 KB, Data Received: 0.05 KB True
99.135242 s TCP Data Sent: 0.05 KB, Data Received: 0.00 KB False
100.606387 s TCP Data Sent: 0.05 KB, Data Received: 0.00 KB False
TCP Session #2
»
Information Value
Source PCAP
Stream ID 1
Remote Address 31.202.128.249
Remote Port 80
Local Address 192.168.0.21
Local Port 49159
Data Sent 9.89 KB
Data Received 266.10 KB
Time Highest Layer Additional Information Success
52.847120 s TCP Data Sent: 0.06 KB, Data Received: 0.06 KB True
52.907830 s TCP Data Sent: 0.05 KB, Data Received: 0.52 KB True
52.935761 s HTTP Data Sent: 0.12 KB, Data Received: 0.05 KB True
53.132136 s HTTP Data Sent: 0.09 KB, Data Received: 1.48 KB True
53.187125 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.242069 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.242280 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.242473 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.242952 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.248689 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.296487 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.296729 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.296938 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.297158 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.297509 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.297694 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.299508 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.300186 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.300685 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.301236 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.301729 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.304541 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.304825 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.305251 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.350449 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.353988 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.354627 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.355015 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.355556 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.356194 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.356416 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.356570 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.356679 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.356810 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.358959 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.408273 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.408594 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.413154 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.413537 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.419263 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.419366 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.419771 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.421118 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.422329 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.462562 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.463029 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.463237 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.463540 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.463822 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.464134 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.464429 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.464770 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.465278 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.465496 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.465620 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.465805 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.465921 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.466054 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.466312 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.466529 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.466748 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.467011 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.467356 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.467745 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.468037 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.468189 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.468261 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.468405 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.468635 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.469144 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.469743 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.469987 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.470507 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.470683 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.470932 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.471236 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.471389 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.474701 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.475086 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.475470 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.475550 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.475719 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.475786 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.476282 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.476611 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.476805 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.477062 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.477317 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.477723 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.477976 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.478274 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.478706 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.479019 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.479277 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.479531 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.479758 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.480347 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.480593 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.480842 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.481131 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.484799 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.485228 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.485487 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.485705 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.486008 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.486229 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.486517 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.486991 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.487200 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.487712 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.487990 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.488259 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.488528 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.488696 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.488953 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.489283 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.489449 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.489807 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.490020 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.490326 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.490597 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.490746 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.490833 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.491227 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.491700 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.491982 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.492471 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.492713 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.493005 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.493277 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.493717 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.494223 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.494474 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.494769 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.517291 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.517665 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.517845 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.518154 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.518439 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.518602 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.518902 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.519203 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
53.519408 s TCP Data Sent: 0.05 KB, Data Received: 1.48 KB True
The remaining entries of this session are omitted for performance reasons and can be found in analysis.pcap .
UDP Sessions (1)
»
Total Data Sent 0.07 KB
Total Data Received 0.33 KB
Contacted Host Count 1
Contacted Hosts 192.168.0.1
UDP Session #1
»
Information Value
Source PCAP
Stream ID 38
Remote Address 192.168.0.1
Remote Port 53
Local Address 192.168.0.21
Local Port 61468
Data Sent 0.07 KB
Data Received 0.33 KB
Time Highest Layer Additional Information Success
33.748240 s DNS Data Sent: 0.07 KB, Data Received: 0.33 KB True
HTTP Sessions (4)
»
Information Value
Total Data Sent 0.80 KB
Total Data Received 806.09 KB
Contacted Host Count 1
Contacted Hosts ms365box.com
HTTP Session #1
»
Information Value
Source Function Log
Server Name ms365box.com
Server Port 80
Data Sent 0.07 KB
Data Received 0.47 KB
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = ms365box.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /update.2 True 1
Fn
Send HTTP Request headers = host: ms365box.com, connection: Keep-Alive, url = ms365box.com/update.2 True 1
Fn
Data
Read Response size = 4096, size_out = 479 True 1
Fn
Data
HTTP Session #2
»
Information Value
Source Function Log
Server Name ms365box.com
Server Port 80
Data Sent 0.04 KB
Data Received 804.90 KB
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = ms365box.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /inv True 1
Fn
Send HTTP Request headers = host: ms365box.com, url = ms365box.com/inv True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 65536, size_out = 7584 True 1
Fn
Data
Read Response size = 65536, size_out = 23360 True 1
Fn
Data
Read Response size = 65536, size_out = 2920 True 1
Fn
Data
Read Response size = 65536, size_out = 23360 True 1
Fn
Data
Read Response size = 65536, size_out = 35040 True 1
Fn
Data
Read Response size = 65536, size_out = 54020 True 1
Fn
Data
Read Response size = 65536, size_out = 1460 True 1
Fn
Data
Read Response size = 65536, size_out = 14600 True 1
Fn
Data
Read Response size = 65536, size_out = 65536 True 1
Fn
Data
Read Response size = 65536, size_out = 14764 True 1
Fn
Data
Read Response size = 65536, size_out = 16060 True 1
Fn
Data
Read Response size = 65536, size_out = 54020 True 1
Fn
Data
Read Response size = 65536, size_out = 16060 True 1
Fn
Data
Read Response size = 65536, size_out = 24820 True 1
Fn
Data
Read Response size = 65536, size_out = 26280 True 1
Fn
Data
Read Response size = 65536, size_out = 14600 True 1
Fn
Data
Read Response size = 65536, size_out = 8760 True 1
Fn
Data
Read Response size = 65536, size_out = 3472 True 1
Fn
Data
Read Response size = 65536, size_out = 50548 True 1
Fn
Data
Read Response size = 65536, size_out = 42340 True 1
Fn
Data
Read Response size = 65536, size_out = 54020 True 1
Fn
Data
Read Response size = 65536, size_out = 64240 True 1
Fn
Data
Read Response size = 65536, size_out = 35040 True 1
Fn
Data
Read Response size = 65536, size_out = 43800 True 1
Fn
Data
Read Response size = 65536, size_out = 52560 True 1
Fn
Data
Read Response size = 65536, size_out = 39420 True 1
Fn
Data
Read Response size = 31437, size_out = 24820 True 1
Fn
Data
Read Response size = 6617, size_out = 5840 True 1
Fn
Data
Read Response size = 777, size_out = 777 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #3
»
Information Value
Source PCAP
User Agent Microsoft Office Protocol Discovery
Stream ID 0
Server Name ms365box.com
Server Port 80
Data Sent 0.69 KB
Data Received 0.72 KB
Time Operation Additional Information Success
33.821565 s Open Connection protocol = http, server_name = ms365box.com, server_port = 80 True
33.821565 s Open HTTP Request http_verb = OPTIONS, http_version = HTTP/1.1, target_resource = / True
33.821565 s Send HTTP Request - True
33.886503 s Read Response HTTP Status Code = 200 True
34.045748 s Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /update.1 True
34.045748 s Send HTTP Request headers = host: ms365box.com, content_type: application/x-www-form-urlencoded, content_length: 1, accept: text/html, text/plain, text/xml, user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; ms-office), url = http://ms365box.com/update.1 True
34.102036 s Read Response HTTP Status Code = 200 True
HTTP Session #4
»
Information Value
Source PCAP
User Agent Microsoft Office Protocol Discovery
Stream ID 0
Server Name ms365box.com
Server Port 80
Data Sent 0.69 KB
Data Received 0.72 KB
Time Operation Additional Information Success
33.821565 s Open Connection protocol = http, server_name = ms365box.com, server_port = 80 True
33.821565 s Open HTTP Request http_verb = OPTIONS, http_version = HTTP/1.1, target_resource = / True
33.821565 s Send HTTP Request - True
33.886503 s Read Response HTTP Status Code = 200 True
34.045748 s Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /update.1 True
34.045748 s Send HTTP Request headers = host: ms365box.com, content_type: application/x-www-form-urlencoded, content_length: 1, accept: text/html, text/plain, text/xml, user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; ms-office), url = http://ms365box.com/update.1 True
34.102036 s Read Response HTTP Status Code = 200 True
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image