Excel File Drops Malicious Payload (2018-02-13) | VTI by Score
Try VMRay Analyzer
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 17
VTI Rule Type Documents
Detected Threats
Arrow Injection Write into memory of a process running from a created or modified executable
"c:\users\kft6utqw\appdata\local\temp\heidi.exe" modifies memory of "c:\users\kft6utqw\appdata\local\temp\heidi.exe"
Arrow Injection Modify control flow of a process running from a created or modified executable
"c:\users\kft6utqw\appdata\local\temp\heidi.exe" alters context of "c:\users\kft6utqw\appdata\local\temp\heidi.exe"
Arrow Network Download file
Download file from "http://kdotraky.com/kat/val.exe" to "c:\users\kft6utqw\appdata\local\temp\heidi.exe".
Arrow Process Create process
Create process "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe".
Arrow Anti Analysis Try to detect debugger
Check via API "NtQueryInformationProcess".
Arrow File System Handle with malicious files
File "c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\val[1].exe" is a known malicious file.
Arrow Network Reputation URL lookup
URL "http://kdotraky.com/kat/val.exe" is known as malicious URL.
URL "kdotraky.com/temp/Panel/five/fre.php" is known as malicious URL.
Arrow Network Download data
URL "http://kdotraky.com/kat/val.exe".
URL "kdotraky.com/temp/Panel/five/fre.php".
Arrow Browser Read data related to saved browser credentials
Read saved credentials for "Google Chrome".
Arrow Network Perform DNS request
Resolve host name "kdotraky.com".
Resolve host name "—‹‹ÅÐД›‹ž”†Ñœ’Ћš’Ð¯ž‘š“Й–‰šÐ™šÑ—".
Arrow Network Connect to remote host
Outgoing TCP connection to host "101.99.75.184:80".
Arrow Information Stealing Read system data
Read the cryptographic machine GUID from registry.
Arrow Network Connect to HTTP server
URL "kdotraky.com/temp/Panel/five/fre.php".
Arrow PE Drop PE file
Drop file "c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\val[1].exe".
Arrow Process Create system object
Create mutex with name "73EE9CC98E5412EEF2B9A336".
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image