Macro-less Word Doc. uses DDE to Execute Powershell, Download DLL
Try VMRay Analyzer
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 30
VTI Rule Type Documents
Detected Threats
Arrow File System
Arrow
Modify operating system directory
Create file "C:\Windows\system32\sensr9.dat" in the OS directory.
Create file "C:\Windows\system32\ikeext32.dll" in the OS directory.
Create file "C:\Windows\system32\sensr3.dat" in the OS directory.
Create file "C:\Windows\system32\ikeext.dll" in the OS directory.
Modify file "C:\Windows\system32\sensr3.dat" in the OS directory.
Modify file "C:\Windows\system32\ikeext.dll" in the OS directory.
Modify file "C:\Windows\system32\sensr9.dat" in the OS directory.
Arrow Network
Arrow
Download data
URL "213.183.51.187/debug.dll".
Arrow
Perform DNS request
Resolve host name "127.0.0.1".
Arrow
Connect to remote host
Outgoing TCP connection to host "213.183.51.187:80".
Arrow
Connect to HTTP server
URL "213.183.51.187/debug.dll".
Arrow PE
Arrow
Drop PE file
Drop file "c:\users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll".
Drop file "c:\windows\system32\ikeext.dll".
Drop file "c:\windows\system32\ikeext32.dll".
Arrow Process
Arrow
Create process
Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
Create process ""C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK".
Create process "C:\Windows\system32\cmd.exe /c "net stop /y ikeext"".
Create process "C:\Windows\system32\net.exe".
Create process "C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll"".
Create process "C:\Windows\system32\takeown.exe".
Create process "C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F"".
Create process "C:\Windows\system32\icacls.exe".
Create process "C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F"".
Create process "C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto"".
Create process "C:\Windows\system32\sc.exe".
Create process "C:\Windows\system32\cmd.exe /c "net start ikeext"".
Create process "C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat".
Create process "C:\Windows\system32\attrib.exe".
Create process "C:\Windows\system32\PING.EXE".
Create process "C:\Windows\system32\cmd.exe".
Arrow
Create system object
Create mutex with name "Global\.net clr networking".
- Anti Analysis
- Browser
- Device
- OS
- Hide Tracks
- Information Stealing
- Injection
- Kernel
- Masquerade
- Persistence
- User
- VBA Macro
- YARA
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image