VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 11 |
VTI Rule Type | Scripts |
Anti Analysis |
|
|
Try to detect virtual machine
|
|
|
Readout system information, commonly used to detect VMs via registry. (Value "VendorIdentifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0").
|
||
Injection |
|
|
Write into memory of another process
|
|
|
"c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe" modifies memory of "c:\windows\syswow64\dllhost.exe"
|
||
Modify control flow of another process
|
|
|
"c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe" alters context of "c:\windows\syswow64\dllhost.exe"
|
||
Network |
|
|
Check external IP address
|
|
|
Check external IP by asking IP info service at "httpbin.org/ip".
|
||
Download data
|
|
|
URL "https://moranaccountants-my.sharepoint.com/personal/lily_moranaccountants_com_au/_layouts/15/guestaccess.aspx?docid=03559bd7bd473450fab4c679cae4be913&authkey=AXWiRPNRVvwj9BsVKKyrAsc&e=259ca72ab9534857b5c3964310916b09".
|
||
URL "httpbin.org/ip".
|
||
Connect to HTTP server
|
|
|
URL "httpbin.org/ip".
|
||
URL "https://moranaccountants-my.sharepoint.com/personal/lily_moranaccountants_com_au/_layouts/15/guestaccess.aspx?docid=03559bd7bd473450fab4c679cae4be913&authkey=AXWiRPNRVvwj9BsVKKyrAsc&e=259ca72ab9534857b5c3964310916b09".
|
||
Connect to remote host
|
|
|
Outgoing TCP connection to host "192.99.181.10:443".
|
||
PE |
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\5p5nrg~1\appdata\local\temp\pst790mv.exe".
|
||
Drop PE file
|
|
|
Drop file "c:\users\5p5nrg~1\appdata\local\temp\pst790mv.exe".
|
||
Drop file "c:\programdata\252e9d6f-46f0-4cf5-8686-f2a673c579a2\af77746e-8a65-4302-8042-f6017918c669.dll".
|
||
Process |
|
|
Create system object
|
|
|
Create mutex with name "df7689e6-c49f-4a86-82e8-6809a406872a".
|
||
- | Browser | |
- | Device | |
- | OS | |
- | File System | |
- | Hide Tracks | |
- | Information Stealing | |
- | Kernel | |
- | Masquerade | |
- | Persistence | |
- | User | |
- | VBA Macro | |
- | YARA |