Excel File Drops Malicious Payload (2018-02-13) | VTI by Category
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 17 |
| VTI Rule Type | Documents |
|
Anti Analysis |
|
|
|
Try to detect debugger
|
|
|
Check via API "NtQueryInformationProcess".
|
||
|
|
Browser |
|
|
|
Read data related to saved browser credentials
|
|
|
Read saved credentials for "Google Chrome".
|
||
|
|
File System |
|
|
|
Handle with malicious files
|
|
|
File "c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\val[1].exe" is a known malicious file.
|
||
|
|
Information Stealing |
|
|
|
Read system data
|
|
|
Read the cryptographic machine GUID from registry.
|
||
|
|
Injection |
|
|
|
Write into memory of a process running from a created or modified executable
|
|
|
"c:\users\kft6utqw\appdata\local\temp\heidi.exe" modifies memory of "c:\users\kft6utqw\appdata\local\temp\heidi.exe"
|
||
|
|
Modify control flow of a process running from a created or modified executable
|
|
|
"c:\users\kft6utqw\appdata\local\temp\heidi.exe" alters context of "c:\users\kft6utqw\appdata\local\temp\heidi.exe"
|
||
|
|
Network |
|
|
|
Download file
|
|
|
Download file from "http://kdotraky.com/kat/val.exe" to "c:\users\kft6utqw\appdata\local\temp\heidi.exe".
|
||
|
|
Reputation URL lookup
|
|
|
URL "http://kdotraky.com/kat/val.exe" is known as malicious URL.
|
||
|
URL "kdotraky.com/temp/Panel/five/fre.php" is known as malicious URL.
|
||
|
|
Download data
|
|
|
URL "http://kdotraky.com/kat/val.exe".
|
||
|
URL "kdotraky.com/temp/Panel/five/fre.php".
|
||
|
|
Perform DNS request
|
|
|
Resolve host name "kdotraky.com".
|
||
|
Resolve host name "ÅÐÐÑÐЯÐÐÑ".
|
||
|
|
Connect to remote host
|
|
|
Outgoing TCP connection to host "101.99.75.184:80".
|
||
|
|
Connect to HTTP server
|
|
|
URL "kdotraky.com/temp/Panel/five/fre.php".
|
||
|
|
PE |
|
|
|
Drop PE file
|
|
|
Drop file "c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\val[1].exe".
|
||
|
|
Process |
|
|
|
Create process
|
|
|
Create process "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe".
|
||
|
|
Create system object
|
|
|
Create mutex with name "73EE9CC98E5412EEF2B9A336".
|
||
| - | Device | |
| - | OS | |
| - | Hide Tracks | |
| - | Kernel | |
| - | Masquerade | |
| - | Persistence | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
