VMRay Analyzer Report
VTI Score 77 / 100 | |
| VTI Database Version | 2.2 |
| VTI Rule Match Count | 25 |
| VTI Rule Type | Default (PE, ...) |
 | Anti Analysis | Try to detect application sandbox | |
Possibly trying to detect "Sandboxie" by checking for existance of module "SbieDll.dll". | |||
| Anti Analysis | Try to detect virtual machine | |
Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f". | |||
| Injection | Write into memory of an other process | |
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\windows\explorer.exe" | |||
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | |||
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe" | |||
"c:\windows\syswow64\install\svhost.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe" | |||
| Injection | Modify control flow of an other process | |
"c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" creates thread in "c:\windows\syswow64\explorer.exe" | |||
| Process | Create many processes | |
More than 50 processes were monitored. | |||
| Process | Create system object | |
Create mutex with name "_x_X_UPDATE_X_x_". | |||
Create mutex with name "_x_X_PASSWORDLIST_X_x_". | |||
Create mutex with name "_x_X_BLOCKMOUSE_X_x_". | |||
Create mutex with name "***MUTEX***". | |||
Create mutex with name "***MUTEX***_PERSIST". | |||
Create mutex with name "***MUTEX***_SAIR". | |||
| File System | Modify operating system directory | |
Modify "c:\windows\system32\install\svhost.exe". | |||
| Persistence | Install system startup script or application | |
Add "C:\Windows\system32\install\svhost.exe" to windows startup via registry. | |||
Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe" to windows startup via registry. | |||
| Process | Allocate a page with write and execute permissions | |
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ"). | |||
| Anti Analysis | Dynamic API usage | |
Resolve more than 50 APIs. | |||
| Process | Create process with hidden window | |
The process "explorer.exe" starts with hidden window. | |||
The process "C:\Program Files\Internet Explorer\iexplore.exe" starts with hidden window. | |||
The process "C:\Windows\system32\install\svhost.exe" starts with hidden window. | |||
| Process | Obfuscate control flow | |
Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter). | |||
