2f254f3d...5e95 | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2016 | ms_office
Classification: Trojan, Dropper, Downloader

2f254f3d9d9c45f97a221faa02f071cba2beb92cc97848e09f6dc754a7585e95 (SHA256)

RRD-139857754091922.doc

Word Document

Created at 2018-04-05 07:19:00

...

Notifications (1/1)

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Indicators

File (80)
»
Filename Hash Operations
C:\ - Access
C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll - Access
C:\Program Files (x86)\Mozilla Firefox\nss3.dll - Access
C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll - Access
C:\Program Files (x86)\Mozilla Thunderbird - Access
C:\Program Files (x86)\Sea Monkey\nss3.dll - Access
C:\ProgramData\114E.tmp MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		Access, Write
C:\ProgramData\114F.tmp MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		Access, Write
C:\ProgramData\1150.tmp MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		Access
C:\Users - Access
C:\Users\aETAdzjz - Access
C:\Users\aETAdzjz\AppData\ - Access
C:\Users\aETAdzjz\AppData\Local\ - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data - Access, Read
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data - Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data - Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\ - Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\ - Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount - Access, Read
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount - Access, Read
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount - Access, Read
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe - Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - Access, Read
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat - Access, Read
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat - Access, Read
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat - Access, Read
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe MD5: e1e61c3cc78ea166684120028b97fc02
SHA1: b088f6483da0b4ebc5b7dd66355c97c91bc1e338
SHA256: 053489532b58188bf6ce8476040c70fcff7c69814b4dc98e1801e1d893160d9c 		Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe:Zone.Identifier - Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting_lng.ini - Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe - Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat - Access
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat - Access
C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data - Access
C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist - Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini - Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat - Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json - Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite - Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite - Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles - Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini - Access
C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data - Access
C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat - Access
C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat - Access
C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles - Access
C:\Users\aETAdzjz\Desktop - Access
C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 - Access
C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 - Access
C:\Users\Public\119901.exe MD5: e1e61c3cc78ea166684120028b97fc02
SHA1: b088f6483da0b4ebc5b7dd66355c97c91bc1e338
SHA256: 053489532b58188bf6ce8476040c70fcff7c69814b4dc98e1801e1d893160d9c 		Access, Write
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll - Access
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config - Access
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access, Read
Registry (101)
»
Registry Key Name Operations
HKEY_CLASSES_ROOT\Licenses Access
HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 Read
HKEY_CLASSES_ROOT\TypeLib Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 Access, Read
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 Access, Read
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 Access, Read
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\Environment Access, Read
HKEY_CURRENT_USER\Identities Access
HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} Access, Read
HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts Access
HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Access, Write
HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes Access
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Access
HKEY_CURRENT_USER\Software\IncrediMail\Identities Access
HKEY_CURRENT_USER\Software\Microsoft\Command Processor Access, Read
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL Access
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts Access
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 Access
HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger Access
HKEY_CURRENT_USER\Software\Microsoft\MessengerService Access
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Access
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Access
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Access
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Access
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine Access
HKEY_CURRENT_USER\Software\Yahoo\Pager Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla Access
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin Access
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current Access
HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook Access, Read
HKEY_LOCAL_MACHINE\Software\Group Mail Access
HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Access, Read
HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird Access
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Access, Read
Mutex (3)
»
Mutex Name Operations
Global\.net clr networking Access, Delete
Global\I705BA84C Access, Delete
Global\M705BA84C Access
URL (2)
»
URL Operations
anatexis.de/RXDWHpi/ GET
23.239.28.4 POST
IP (2)
»
IP Protocols
81.169.145.93 HTTP, DNS, TCP
23.239.28.4 TCP
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image