0d4e21ce...5b6c | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Dropper, Downloader

0d4e21cec341cd742aa47f3f3bd4b7a903ab558a646ddd2c55b153bbf7dc5b6c (SHA256)

orden de pedido 05.xlsx

Excel Document

Created at 2018-11-05 09:27:00

...

Notifications (2/2)

One or multiple processes crashed. As a result, the analysis results may be incomplete and may not fully represent the behavior of the sample.

The operating system was rebooted during the analysis.

Indicators

File (11)
»
Filename Hash Operations Source
C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp MD5: 343fa15c150a516b20cc9f787cfd530e
SHA1: 369e8ac39d762e531d961c58b8c5dc84d19ba989
SHA256: d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524
SSDeep: 768:wjof+RdBZJ2g653hvqs+Rcb+SBMdK4tztHDyecRa6Xs9X/jPlu6tKvUfsQscD:wjE+132lhisKZdltWeks9Ru6nsQscD
ImpHash: None 		Access, Read Created File
C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT - Access
C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe MD5: 7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d
SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7
SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2
ImpHash: de9f683dc8381813a744f3e1838e7601 		Access, Read Created File
C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe:ZoneIdentifier MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3::
ImpHash: None 		Access, Write Created File
C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441 - Access
C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe MD5: 7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d
SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7
SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2
ImpHash: de9f683dc8381813a744f3e1838e7601 		Access, Write Created File
C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut MD5: a634cb7eb39b833d885186b5ba1023f2
SHA1: c12e1a24fe39d4017ca8bade72dce2f128ca1f46
SHA256: 8806d6fd705d67f18eaa6c95806d405cd3a3a56e41636958a408973f602daebf
SSDeep: 768:wjof+RdBZJ2g653hvqs+Rcb+SBMdK4tztHDyecRa6Xs9X/jPlu6tKvUfsQscL:wjE+132lhisKZdltWeks9Ru6nsQscL
ImpHash: None 		Access, Write Created File
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs MD5: 6fe3ecd814abef913dd5064746ad05bc
SHA1: 536cb57f4568328db82d729ab34f0753ab45e0a2
SHA256: eaf5fa6489fc6913be7dc196d71f0c22e36f8a8a48899be71a366d1e1112b141
SSDeep: 3:DG0VRmnwzFTUXoLqgBPN9lLenoJxzp4EaKC5NupEl0dAH2:DjinwtfPBPNCo/zpJaZ5NupE7W
ImpHash: None 		Access, Write Created File
C:\Users\aETAdzjz\AppData\Roaming\svchost.exe MD5: 7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d
SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7
SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2
ImpHash: de9f683dc8381813a744f3e1838e7601 		Access Created File
C:\Windows\Help\.HLP - Access
C:\Windows\system32\.HLP - Access
Registry (33)
»
Registry Key Name Operations
HKEY_CLASSES_ROOT\.vbs Access, Read
HKEY_CLASSES_ROOT\VBSFile\ScriptEngine Access, Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441 Write
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Access
HKEY_CURRENT_USER\Software\Borland\Locales Access
HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 Access
HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0\AllowUnsafeObjectPassing Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings Access
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UACDisableNotify Write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441 Write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441 Write
HKEY_LOCAL_MACHINE\Software\Borland\Locales Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER Read
Mutex (2)
»
Mutex Name Operations
1159BD3 Access
I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441 Access
Domain (1)
»
Domain Sources
23.249.167.158 Function Log
URL (1)
»
URL Operations Sources
http://23.249.167.158/file/doc/scvhost.exe GET Function Log
IP (2)
»
IP Protocols Sources
23.249.167.158 HTTP, TCP PCAP, Function Log
46.183.220.14 TCP PCAP
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image