6ce1abc4...914f

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Spyware, Exploit, Downloader, Dropper

CMG 4 263 PAYMENT ADVICE.xlsx

Excel Document

Created at 2019-09-15T14:56:00

Remarks (2/2)

Anti-Sleep Triggered (0x200000e): The overall sleep time of all monitored processes was truncated from "30 seconds" to "20 seconds" to reveal dormant functionality.

Auto Reboot Triggered (0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Indicators

File (75)

Filename	Hash	Operations	Category
	MD5: f32e6ea47c60aec3a322cd5aa60a3c8d SHA1: af89c8ae9e9299eed5b57e0267b579b63d251614 SHA256: bc446ae5c3e86e73e8c008f9e61a8d749f94b74914d7740b9b129d01012e30ea SSDeep: 192:nMHTDKtQQXKahc9mLqhf/Tgk6aS3FLQMYl:nG8iahAHTI/LQMq ImpHash: None	Access	Memory Dump
\??\C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	-	Access, Read, Write
\??\C:\Users\Public\vbc.exe	-	Access, Read
C:\%insfolder%\%insname%	-	Access
C:\mail\	-	Access
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe	-	Access
C:\Storage\	-	Access
C:\Users\aETAdzjz\AppData\Local\360Chrome\Chrome\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\7Star\7Star\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Amigo\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\BraveSoftware\Brave-Browser\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\CatalinaGroup\Citrio\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\CentBrowser\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Chedot\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Chromium\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\CocCoc\Browser\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Comodo\Dragon\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Coowon\Coowon\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Elements Browser\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Epic Privacy Browser\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\falkon\profiles\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer	-	Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\	-	Access
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	-	Access, Read
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Login Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Iridium\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Kometa\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\liebao\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\MapleStudio\ChromePlus\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Orbitum\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\QIP Surf\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Sputnik\Sputnik\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Temp\637041562706118000_5a486d91-5e81-407c-a6d9-16017ea3a659.db	MD5: 478eeafbb12c55cbec0cbeafb984fed6 SHA1: 147bfddeb74a93227e90f058b5d075b4343a37c8 SHA256: 9239ca0e958d9d9d846202cf7636291130782a02dcbb77eb80a71eeb5574ab82 SSDeep: 3:Lt/hV/plfltt/lE9lllnldlHGltdl/l8/V0V6CVgnG5YRgRzW3Wq3VhjluPjqwod:5X9cvVmXy/VcRK3Xhj03tDiSgJH0cLD ImpHash: None	Access, Read, Create	Dropped File
C:\Users\aETAdzjz\AppData\Local\Temp\637041563908370000_d3625fbb-19c3-4284-a122-f008796776d0.db	MD5: 478eeafbb12c55cbec0cbeafb984fed6 SHA1: 147bfddeb74a93227e90f058b5d075b4343a37c8 SHA256: 9239ca0e958d9d9d846202cf7636291130782a02dcbb77eb80a71eeb5574ab82 SSDeep: 3:Lt/hV/plfltt/lE9lllnldlHGltdl/l8/V0V6CVgnG5YRgRzW3Wq3VhjluPjqwod:5X9cvVmXy/VcRK3Xhj03tDiSgJH0cLD ImpHash: None	Access, Read, Create	Dropped File
C:\Users\aETAdzjz\AppData\Local\Tencent\QQBrowser\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage	-	Access
C:\Users\aETAdzjz\AppData\Local\Torch\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\uCozMedia\Uran\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\	-	Access
C:\Users\aETAdzjz\AppData\Local\VirtualStore\Program Files\Foxmail\mail\	-	Access
C:\Users\aETAdzjz\AppData\Local\Vivaldi\User Data	-	Access
C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data	-	Access
C:\Users\aETAdzjz\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Claws-mail	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Claws-mail\clawsrc	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Comodo\IceDragon\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Flock\Browser\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\K-Meleon\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe.config	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	-	Access, Read
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key4.db	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\icecat\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Opera Mail\Opera Mail\wand.dat	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Pocomail\accounts.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Postbox\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\The Bat!	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\profiles.ini	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Trillian\users\global\accounts.dat	-	Access
C:\Users\aETAdzjz\AppData\Roaming\Waterfox\profiles.ini	-	Access
C:\Users\aETAdzjz\s.exe	MD5: 83153cdead58be81d90ffb518a1c87fe SHA1: 519dcf5eb793527b93b1af82548ed9aa8fbeb5b6 SHA256: 270e56e60bab1c286c06f71fcf3b9b5a1b6b17d3acfb1f939d6b988400ddea7a SSDeep: 12288:IS49pgN6PiNfCZL3Bv1X1/SI1wJyJYfVYMLvMXZG+k:LiihCV9NtALLEJz ImpHash: None	Access, Create	Downloaded File
C:\Users\aETAdzjz\s.exe:Zone.Identifier	-	Access, Delete
C:\Users\Public\vbc.exe	MD5: 83153cdead58be81d90ffb518a1c87fe SHA1: 519dcf5eb793527b93b1af82548ed9aa8fbeb5b6 SHA256: 270e56e60bab1c286c06f71fcf3b9b5a1b6b17d3acfb1f939d6b988400ddea7a SSDeep: 12288:IS49pgN6PiNfCZL3Bv1X1/SI1wJyJYfVYMLvMXZG+k:LiihCV9NtALLEJz ImpHash: None	Access, Create	Downloaded File
C:\Users\Public\vbc.exe.config	-	Access
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config	-	Access
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	-	Access
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config	-	Access
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config	-	Access, Read
C:\Windows\system32\Folder.lst	-	Access

Registry (35)

Registry Key Name	Operations
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview	Access
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1	Access
HKEY_CURRENT_USER\Software\IncrediMail\Identities	Access
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password	Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676	Access
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Access
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine	Access
HKEY_CURRENT_USER\Software\RimArts\B2\Settings	Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId	Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework	Access
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting	Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger	Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting	Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Impersonation Level	Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Namespace	Access, Read

Mutex (2)

Mutex Name	Operations
Startup_shellcode_006	Access
frenchy_shellcode_006	Access

Domain (1)

Domain	Sources
workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com	PCAP, Function Log

URL (1)

URL	Operations	Category
http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/bigb/win32.exe	GET	Contacted

IP (1)

IP	Protocols	Sources
23.249.165.218	DNS, HTTP, TCP	PCAP, Function Log

Export to TXT Export to JSON

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Remarks (2/2)

Indicators

Before

After