0d4e21ce...5b6c | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Dropper, Downloader

0d4e21cec341cd742aa47f3f3bd4b7a903ab558a646ddd2c55b153bbf7dc5b6c (SHA256)

orden de pedido 05.xlsx

Excel Document

Created at 2018-11-05 09:27:00

...

Notifications (2/2)

One or multiple processes crashed. As a result, the analysis results may be incomplete and may not fully represent the behavior of the sample.

The operating system was rebooted during the analysis.

Severity Category Operation Classification
5/5
Hide Tracks Uses Alternate Data Stream (ADS) for interprocess communication -
5/5
Injection Writes into the memory of another running process -
  • "c:\users\aetadzjz\appdata\roaming\document\document.exe" modifies memory of "c:\program files (x86)\internet explorer\iexplore.exe"
    ...
5/5
Injection Writes into the memory of a process running from a created or modified executable -
  • "c:\users\aetadzjz\appdata\roaming\document\document.exe" modifies memory of "c:\users\aetadzjz\appdata\roaming\document\document.exe"
    ...
5/5
Injection Modifies control flow of another process -
  • "c:\users\aetadzjz\appdata\roaming\document\document.exe" alters context of "c:\program files (x86)\internet explorer\iexplore.exe"
    ...
5/5
Injection Modifies control flow of a process running from a created or modified executable -
  • "c:\users\aetadzjz\appdata\roaming\document\document.exe" alters context of "c:\users\aetadzjz\appdata\roaming\document\document.exe"
    ...
4/5
Network Downloads file Downloader
  • Downloads file from "http://23.249.167.158/file/doc/scvhost.exe" to "c:\users\aetadzjz\appdata\roaming\svchost.exe".
    ...
4/5
Process Creates process -
  • Creates process ""C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 1 "C:\Users\aETAdzjz\AppData\Roaming\svchost.exe" 1159BD3".
    ...
  • Creates process "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe".
    ...
  • Creates process ""C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"".
    ...
  • Creates process ""C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 2 2616 18220554".
    ...
  • Creates process "C:\Program Files (x86)\Internet Explorer\iexplore.exe".
    ...
4/5
Network Downloads data Downloader
3/5
Persistence Installs system startup script or application -
  • Adds "c:\users\aetadzjz\appdata\roaming\microsoft\windows\start menu\programs\startup\document.vbs" to Windows startup folder.
    ...
  • Adds "C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe" to Windows startup via registry.
    ...
3/5
PE Executes dropped PE file -
  • Executes dropped file "c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\scvhost[1].exe".
    ...
3/5
Process Process crashed -
  • Process "c:\program files (x86)\internet explorer\iexplore.exe" crashed.
    ...
2/5
Anti Analysis Tries to detect debugger -
2/5
PE Drops PE file Dropper
  • Drops file "c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\scvhost[1].exe".
    ...
1/5
Process Creates system object -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\aETAdzjz\Desktop\orden de pedido 05.xlsx.
    ...
1/5
Static Office document encrypted -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image