IQY File uses PowerShell to Download a Malicious .exe | VTI
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Backdoor, Trojan, Dropper, Downloader

76917b219ad5a1ff8229a75eb23c34a9ad1ce98264257d3cca538ac59c49a15f (SHA256)

29082018_64943.iqy

Excel Document

Created at 2018-08-30 14:38:00

Notifications (1/1)

The operating system was rebooted during the analysis.

Severity Category Operation Classification
5/5
Anti Analysis Tries to detect virtual machine -
  • Reads out system information, commonly used to detect VMs via registry. (Value "SystemProductName" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS").
  • Possibly trying to detect VMware via registry "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools".
5/5
Anti Analysis Tries to detect application sandbox -
  • Possibly trying to detect "Threadexpert" by checking for existence of module "dbghelp.dll".
  • Possibly trying to detect "SunBelt Sandbox" by checking for existence of module "pstorec.dll".
  • Possibly trying to detect "Virtual PC" by checking for existence of module "vmcheck.dll".
  • Possibly trying to detect "SunBelt Sandbox" by checking for existence of module "api_log.dll".
  • Possibly trying to detect "Sandboxie" by checking for existence of module "SbieDll.dll".
  • Possibly trying to detect "SunBelt Sandbox" by checking for existence of module "dir_watch.dll".
  • Possibly trying to detect "Comodo Sandbox" by checking for existence of module "cmdvrt32.dll".
5/5
Anti Analysis Tries to detect a forensic tool -
  • Tries to detect forensic tools by checking if the DLL "SunBelt Sandbox" exists.
  • Tries to detect forensic tools by checking if the DLL "Winsock Packet Editor" exists.
4/5
Process Creates process -
  • Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
  • Creates process "A.exe x B.7z -psL3117nTGnp393SLZxZy -o"C:\Users\aDU0VK IWA5kLS\AppData\Roaming" -aoa".
  • Creates process "cmd /c start "" "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe"".
  • Creates process "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe".
4/5
File System Known malicious file Trojan, Backdoor
  • File "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" is a known malicious file.
4/5
Network Downloads data Downloader
3/5
Network Performs DNS request -
3/5
Persistence Installs system startup script or application -
  • Adds "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" to Windows startup via registry.
3/5
PE Executes dropped PE file -
  • Executes dropped file "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe".
2/5
Anti Analysis Tries to detect debugger -
2/5
Network Associated with known malicious/suspicious URLs -
  • URL "ms365box.com" is known as malicious URL.
  • URL "http://ms365box.com/" is known as malicious URL.
  • URL "http://ms365box.com/update.1" is known as malicious URL.
2/5
Network Connects to HTTP server -
2/5
PE Drops PE file Dropper
  • Drops file "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe".
1/5
Process Creates system object -
1/5
PE The PE file was created with a packer -
  • File "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" is packed with "Armadillo v1.71".
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image