Fake Microsoft Word Invoice Analysis
| VTI by Category
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 15 |
| VTI Rule Type | Documents |
|
File System |
|
|
|
Handle with malicious files
|
|
|
File "c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe" is a known malicious file.
|
||
|
|
Injection |
|
|
|
Write into memory of another process
|
|
|
"c:\users\hjrd1k~1\appdata\local\temp\8162.exe" modifies memory of "c:\users\hjrd1k~1\appdata\local\temp\8162.exe"
|
||
|
|
Modify control flow of another process
|
|
|
"c:\users\hjrd1k~1\appdata\local\temp\8162.exe" alters context of "c:\users\hjrd1k~1\appdata\local\temp\8162.exe"
|
||
|
|
Network |
|
|
|
Perform DNS request
|
|
|
Resolve "carbeyondstore.com".
|
||
|
Resolve "www.carbeyondstore.com".
|
||
|
Resolve "pxpgraphics.com".
|
||
|
|
Connect to remote host
|
|
|
Outgoing TCP connection to host "72.52.246.64:80".
|
||
|
Outgoing TCP connection to host "69.65.3.206:80".
|
||
|
|
PE |
|
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe".
|
||
|
|
Drop PE file
|
|
|
Drop file "c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe".
|
||
|
|
Process |
|
|
|
Create process
|
|
|
Create process "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe".
|
||
|
|
Read from memory of an other process
|
|
|
"c:\users\hjrd1k~1\appdata\local\temp\8162.exe" reads from "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe".
|
||
|
|
Create system object
|
|
|
Create mutex with name "Global\.net clr networking".
|
||
|
|
VBA Macro |
|
|
|
Execute application
|
|
|
Shell WkBDLdsmW, IDI5UPj
|
||
|
|
Execute macro on specific worksheet event
|
|
|
Execute macro on "Activate Workbook" event.
|
||
| - | Anti Analysis | |
| - | Browser | |
| - | Device | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | OS | |
| - | Persistence | |
| - | User | |
| - | YARA | |
