VTI Score 91 / 100 | |
VTI Database Version | 2.2 |
VTI Rule Match Count | 13 |
VTI Rule Type | Default (PE, ...) |
Anti Analysis | ||
Illegitimate API usage | ||
Internal API "CreateProcessInternalA" was used to start "explorer.exe". | ||
Try to detect virtual machine | ||
Readout system information, commonly used to detect VMs via registry. (Value "0" in key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum"). | ||
Hide Tracks | ||
Delete file after execution | ||
Delete executable "c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe". | ||
Injection | ||
Write into memory of an other process | ||
"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | ||
Network | ||
Connect to remote host | ||
Outgoing TCP connection to host "www.msn.com:80". | ||
Outgoing TCP connection to host "104.84.181.107:80". | ||
Download data | ||
Url "http://www.msn.com/". | ||
Url "http://go.microsoft.com/fwlink/?LinkId=133405". | ||
Persistence | ||
Install system startup script or application | ||
Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe" to windows startup via registry. | ||
Process | ||
Allocate a page with write and execute permissions | ||
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
Create process with hidden window | ||
The process "explorer.exe" starts with hidden window. | ||
Read from memory of an other process | ||
"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" reads from "explorer.exe". | ||
Create system object | ||
Create mutex with name "FCAA85F5B5437C4D7919D716988890AF30565E9E". | ||
- | Browser | |
- | Device | |
- | File System | |
- | Information Stealing | |
- | Kernel | |
- | Masquerade | |
- | OS | |
- | PE | |
- | VBA Macro | |
- | YARA |