RTF Document Takes Advantage of CVE-2017-11882 Vulnerability   | VTI by Score
Try VMRay Analyzer
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 36
VTI Rule Type Documents
Detected Threats
Arrow File System Modify operating system directory
Create file "\??\C:\Windows\SYSTEM32\ntdll.dll" in the OS directory.
Modify file "\??\C:\Windows\SYSTEM32\ntdll.dll" in the OS directory.
Create file "\??\C:\Windows\System32\cmmon32.exe" in the OS directory.
Modify file "\??\C:\Windows\System32\cmmon32.exe" in the OS directory.
Create file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
Modify file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
Arrow Anti Analysis Try to detect kernel debugger
Check via API "NtQuerySystemInformation".
Arrow Anti Analysis Illegitimate API usage
Internal API "CreateProcessInternalW" was used to start "C:\Windows\System32\cmmon32.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\System32\cmd.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Program Files\Mozilla Firefox\Firefox.exe".
Arrow Injection Write into memory of another process
"c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe" modifies memory of "c:\windows\explorer.exe"
Arrow Injection Modify control flow of another process
"c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe" alters context of "c:\windows\explorer.exe"
Arrow Process Create process
Create process "C:\Windows/system32/WindowsPowerShell/v1.0/powershell.exe".
Create process ""C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe"".
Create process "C:\Windows\System32\cmmon32.exe".
Create process "C:\Windows\System32\cmd.exe".
Create process "C:\Program Files\Mozilla Firefox\Firefox.exe".
Arrow Anti Analysis Try to detect debugger
Check via API "NtQueryInformationProcess".
Arrow Process Read from memory of another process
"c:\windows\explorer.exe" reads from "C:\Windows\System32\cmmon32.exe".
"c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe" reads from "c:\windows\explorer.exe".
"c:\windows\system32\cmmon32.exe" reads from "c:\windows\explorer.exe".
"c:\windows\system32\cmmon32.exe" reads from "C:\Program Files\Mozilla Firefox\Firefox.exe".
Arrow Network Read network configuration
Read the current network configuration trough the host.conf file.
Arrow Network TCP Server not available
Every TCP connection attempt failed.
Arrow File System Handle with malicious files
File "c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe" is a known malicious file.
Arrow Network Download data
URL "doc2th.com/tin/off.exe".
Arrow Network Perform DNS request
Resolve host name "doc2th.com".
Arrow Anti Analysis Delay execution
One thread sleeps more than 5 minutes.
Arrow Persistence Install system startup script or application
Add "C:\Program Files\Crfitq6x\gdigzvh.exe" to windows startup via registry.
Arrow PE Execute dropped PE file
Execute dropped file "c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe".
Arrow Network Connect to HTTP server
URL "doc2th.com/tin/off.exe".
Arrow PE Drop PE file
Drop file "c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe".
Arrow Process Create system object
Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex".
Create mutex with name "Global\.net clr networking".
Create nameless mutex.
Create mutex with name "664908S9UTEIZ6MN".
Create mutex with name "OLO0NDS-0AXWwKzG".
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image