RTF Document Takes Advantage of CVE-2017-11882 Vulnerability | VTI by Category
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 36 |
| VTI Rule Type | Documents |
|
Anti Analysis |
|
|
|
Try to detect kernel debugger
|
|
|
Check via API "NtQuerySystemInformation".
|
||
|
|
Illegitimate API usage
|
|
|
Internal API "CreateProcessInternalW" was used to start "C:\Windows\System32\cmmon32.exe".
|
||
|
Internal API "CreateProcessInternalW" was used to start "C:\Windows\System32\cmd.exe".
|
||
|
Internal API "CreateProcessInternalW" was used to start "C:\Program Files\Mozilla Firefox\Firefox.exe".
|
||
|
|
Try to detect debugger
|
|
|
Check via API "NtQueryInformationProcess".
|
||
|
|
Delay execution
|
|
|
One thread sleeps more than 5 minutes.
|
||
|
|
File System |
|
|
|
Modify operating system directory
|
|
|
Create file "\??\C:\Windows\SYSTEM32\ntdll.dll" in the OS directory.
|
||
|
Modify file "\??\C:\Windows\SYSTEM32\ntdll.dll" in the OS directory.
|
||
|
Create file "\??\C:\Windows\System32\cmmon32.exe" in the OS directory.
|
||
|
Modify file "\??\C:\Windows\System32\cmmon32.exe" in the OS directory.
|
||
|
Create file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
|
||
|
Modify file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
|
||
|
|
Handle with malicious files
|
|
|
File "c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe" is a known malicious file.
|
||
|
|
Injection |
|
|
|
Write into memory of another process
|
|
|
"c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe" modifies memory of "c:\windows\explorer.exe"
|
||
|
|
Modify control flow of another process
|
|
|
"c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe" alters context of "c:\windows\explorer.exe"
|
||
|
|
Network |
|
|
|
Read network configuration
|
|
|
Read the current network configuration trough the host.conf file.
|
||
|
|
TCP Server not available
|
|
|
Every TCP connection attempt failed.
|
||
|
|
Download data
|
|
|
URL "doc2th.com/tin/off.exe".
|
||
|
|
Perform DNS request
|
|
|
Resolve host name "doc2th.com".
|
||
|
|
Connect to HTTP server
|
|
|
URL "doc2th.com/tin/off.exe".
|
||
|
|
PE |
|
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe".
|
||
|
|
Drop PE file
|
|
|
Drop file "c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe".
|
||
|
|
Persistence |
|
|
|
Install system startup script or application
|
|
|
Add "C:\Program Files\Crfitq6x\gdigzvh.exe" to windows startup via registry.
|
||
|
|
Process |
|
|
|
Create process
|
|
|
Create process "C:\Windows/system32/WindowsPowerShell/v1.0/powershell.exe".
|
||
|
Create process ""C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe"".
|
||
|
Create process "C:\Windows\System32\cmmon32.exe".
|
||
|
Create process "C:\Windows\System32\cmd.exe".
|
||
|
Create process "C:\Program Files\Mozilla Firefox\Firefox.exe".
|
||
|
|
Read from memory of another process
|
|
|
"c:\windows\explorer.exe" reads from "C:\Windows\System32\cmmon32.exe".
|
||
|
"c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe" reads from "c:\windows\explorer.exe".
|
||
|
"c:\windows\system32\cmmon32.exe" reads from "c:\windows\explorer.exe".
|
||
|
"c:\windows\system32\cmmon32.exe" reads from "C:\Program Files\Mozilla Firefox\Firefox.exe".
|
||
|
|
Create system object
|
|
|
Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex".
|
||
|
Create mutex with name "Global\.net clr networking".
|
||
|
Create nameless mutex.
|
||
|
Create mutex with name "664908S9UTEIZ6MN".
|
||
|
Create mutex with name "OLO0NDS-0AXWwKzG".
|
||
| - | Browser | |
| - | Device | |
| - | OS | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
