VTI Score 77 / 100 | |
VTI Database Version | 2.2 |
VTI Rule Match Count | 25 |
VTI Rule Type | Default (PE, ...) |
Anti Analysis | ||
Try to detect application sandbox | ||
Possibly trying to detect "Sandboxie" by checking for existance of module "SbieDll.dll". | ||
Try to detect virtual machine | ||
Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f". | ||
Dynamic API usage | ||
Resolve more than 50 APIs. | ||
File System | ||
Modify operating system directory | ||
Modify "c:\windows\system32\install\svhost.exe". | ||
Injection | ||
Write into memory of an other process | ||
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\windows\explorer.exe" | ||
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | ||
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe" | ||
"c:\windows\syswow64\install\svhost.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe" | ||
Modify control flow of an other process | ||
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" creates thread in "c:\windows\syswow64\explorer.exe" | ||
Persistence | ||
Install system startup script or application | ||
Add "C:\Windows\system32\install\svhost.exe" to windows startup via registry. | ||
Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe" to windows startup via registry. | ||
Process | ||
Create many processes | ||
More than 50 processes were monitored. | ||
Create system object | ||
Create mutex with name "_x_X_UPDATE_X_x_". | ||
Create mutex with name "_x_X_PASSWORDLIST_X_x_". | ||
Create mutex with name "_x_X_BLOCKMOUSE_X_x_". | ||
Create mutex with name "***MUTEX***". | ||
Create mutex with name "***MUTEX***_PERSIST". | ||
Create mutex with name "***MUTEX***_SAIR". | ||
Allocate a page with write and execute permissions | ||
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ"). | ||
Create process with hidden window | ||
The process "explorer.exe" starts with hidden window. | ||
The process "C:\Program Files\Internet Explorer\iexplore.exe" starts with hidden window. | ||
The process "C:\Windows\system32\install\svhost.exe" starts with hidden window. | ||
Obfuscate control flow | ||
Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter). | ||
- | Browser | |
- | Device | |
- | Hide Tracks | |
- | Information Stealing | |
- | Kernel | |
- | Masquerade | |
- | Network | |
- | OS | |
- | PE | |
- | VBA Macro | |
- | YARA |