VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 16 |
VTI Rule Type | Documents |
File System |
|
|
Create many files
|
|
|
Create above average number of files.
|
||
Encrypt content of user files
|
|
|
Encrypt the content of multiple user files. This is an indicator for ransomware.
|
||
Network |
|
|
Download data
|
|
|
Url "http://calster.be/87wifhFsdf".
|
||
Url "212.109.220.109/imageload.cgi".
|
||
Connect to HTTP server
|
|
|
Remote address "http://calster.be/87wifhFsdf".
|
||
Remote address "212.109.220.109/imageload.cgi".
|
||
PE |
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\aetadzjz\appdata\local\temp\agraba8.exe".
|
||
Drop PE file
|
|
|
Drop file "c:\users\aetadzjz\appdata\local\temp\agraba8.exe".
|
||
Process |
|
|
Create process
|
|
|
Create process "C:\Users\aETAdzjz\Desktop\lukitus.htm".
|
||
Create process "C:\Users\aETAdzjz\Desktop\lukitus.bmp".
|
||
Create process "cmd.exe /C del /Q /F "C:\Users\aETAdzjz\AppData\Local\Temp\agraba8.exe"".
|
||
VBA Macro |
|
|
Create suspicious COM object
|
|
|
CreateObject(VertikName)
|
||
CreateObject(AlertNE)
|
||
CreateObject(AlertN(1))
|
||
CreateObject(AlertN(3))
|
||
Execute macro on specific worksheet event
|
|
|
Execute macro on "Open Document" event.
|
||
- | Anti Analysis | |
- | Browser | |
- | Device | |
- | OS | |
- | Hide Tracks | |
- | Information Stealing | |
- | Injection | |
- | Kernel | |
- | Masquerade | |
- | Persistence | |
- | User | |
- | YARA |