8ad28604...29a2 | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2016 | ms_office
Classification: Dropper, Keylogger, Downloader

8ad2860416f81070b57d262e8dcb2894048f18c8989f9c24a870a1582c2129a2 (SHA256)

BZ_Media_Info.doc

Word Document

Created at 2018-03-29 15:42:00

...

Notifications (2/3)

Code overwrite was observed during this analysis. Note that the analysis results may be affected by this modification by the sample.

The overall sleep time of all monitored processes was truncated from "23 seconds" to "10 seconds" to reveal dormant functionality.

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Indicators

File (30)
»
Filename Hash Operations
C:\ - Access
C:\Users - Access
C:\Users\aETAdzjz - Access
C:\Users\aETAdzjz\AppData\Roaming\Microsoft - Access
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6 - Access
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe MD5: a6f489d45984338621f3c377d82220ce
SHA1: bbe3a54281addb8a59832ecc093f986381f2a622
SHA256: 3d97696c003caf79376088c61bf21d782248fab1f6e8baac0a918013adc654b2 		Access, Write
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js MD5: 98355e412e0ae6a50ea364a9291775ee
SHA1: 511e143755354e79abb3ab4e9870602c8e95f347
SHA256: 8d3037bc713a7c2b9b3c576ebf2404a337b7b6d98b2ef42646d3b0cbb5aa4dc0 		Access, Read, Write
C:\Users\aETAdzjz\Desktop - Access
C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 - Access
C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 - Access
C:\Users\Public\229393.exe MD5: f2eaec8a0c979bc5cc9b6e539e5b53b3
SHA1: ac6b1d839c34bfdef50e9f864ed956b5aeafba1a
SHA256: 4585b82d8a7d67d25405f4bc388070ff3d6e674d964c8eb6b25cb87b786f4ad3 		Access, Write
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll - Access
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config - Access, Read
C:\Windows\system32\c_1252.nls - Access
C:\Windows\SYSTEM32\ntdll.dll - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config - Access
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access, Read
Registry (61)
»
Registry Key Name Operations
HKEY_CLASSES_ROOT\Licenses Access
HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 Read
HKEY_CLASSES_ROOT\TypeLib Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 Access, Read
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 Access, Read
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 Access
HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 Access
HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 Access, Read
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\Environment Access, Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Access, Write
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 Access, Read, Write
HKEY_CURRENT_USER\Software\Microsoft\Command Processor Access, Read
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Access, Read, Write
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Access, Read
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Access, Read
HKEY_USERS Access
HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 Access, Read
HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Access, Read
win64 Access
Mutex (6)
»
Mutex Name Operations
Global\.net clr networking Access, Delete
Local\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954} Access
Local\{722AD44B-2987-7426-43C6-6DE8275AF19C} Access, Delete
Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6} Access
{B29A7695-69BA-B440-8306-AD28679A31DC} Access
{BE6B9E68-0520-A091-7FD2-09D423264D48} Access
URL (1)
»
URL Operations
ihbnaoisdnasdasd.com/NOIT/testv.php?l=krish7.class GET
IP (1)
»
IP Protocols
158.69.153.61 HTTP, DNS, TCP
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image