VMRay Analyzer Report
VTI Score 77 / 100 | |
| VTI Database Version | 2.2 |
| VTI Rule Match Count | 25 |
| VTI Rule Type | Default (PE, ...) |
 | Anti Analysis | |
| Try to detect application sandbox | |
Possibly trying to detect "Sandboxie" by checking for existance of module "SbieDll.dll". | ||
| Try to detect virtual machine | |
Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f". | ||
| Dynamic API usage | |
Resolve more than 50 APIs. | ||
| File System | |
| Modify operating system directory | |
Modify "c:\windows\system32\install\svhost.exe". | ||
| Injection | |
| Write into memory of an other process | |
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\windows\explorer.exe" | ||
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | ||
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe" | ||
"c:\windows\syswow64\install\svhost.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe" | ||
| Modify control flow of an other process | |
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" creates thread in "c:\windows\syswow64\explorer.exe" | ||
| Persistence | |
| Install system startup script or application | |
Add "C:\Windows\system32\install\svhost.exe" to windows startup via registry. | ||
Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe" to windows startup via registry. | ||
| Process | |
| Create many processes | |
More than 50 processes were monitored. | ||
| Create system object | |
Create mutex with name "_x_X_UPDATE_X_x_". | ||
Create mutex with name "_x_X_PASSWORDLIST_X_x_". | ||
Create mutex with name "_x_X_BLOCKMOUSE_X_x_". | ||
Create mutex with name "***MUTEX***". | ||
Create mutex with name "***MUTEX***_PERSIST". | ||
Create mutex with name "***MUTEX***_SAIR". | ||
| Allocate a page with write and execute permissions | |
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ"). | ||
| Create process with hidden window | |
The process "explorer.exe" starts with hidden window. | ||
The process "C:\Program Files\Internet Explorer\iexplore.exe" starts with hidden window. | ||
The process "C:\Windows\system32\install\svhost.exe" starts with hidden window. | ||
| Obfuscate control flow | |
Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter). | ||
| - | Browser | |
| - | Device | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | Network | |
| - | OS | |
| - | PE | |
| - | VBA Macro | |
| - | YARA | |
