DYNAMIC ANALYSIS REPORT #1337459
Classifications: Exploit Downloader Spyware
MALICIOUS Threat Names: Exploit.CVE-2018-0802.Gen
Verdict Reason: -
Sample Type Excel Document
Sample Name homefarmanteroom9b56459b5645b0f5e2fbbb8ec8c45c1a4e82922f73a7b6c28dbc6c5f397ad9bda83f77.xls
ID #471135
MD5 596b83a169467280b5e047f498eeaa33
SHA1 4d36aad5a72e14082ec57274921f503a9ae29aa1
SHA256 9b5645b0f5e2fbbb8ec8c45c1a4e82922f73a7b6c28dbc6c5f397ad9bda83f77
File Size 37.63 KB
Report Created 2021-05-07 20:08 (UTC+2)
Target Environment win7_64_sp1_en_mso2016 | ms_office
X-Ray Vision for Malware - www.vmray.com 1 / 30 DYNAMIC ANALYSIS REPORT #1337459
OVERVIEW
VMRay Threat Identifiers (24 rules, 73 matches)
Score Category Operation Count Classification
5/5 Injection Writes into the memory of a process running from a created or modified executable 1 -
• (Process #3) doqqx.exe modifies memory of (process #8) doqqx.exe.
5/5 Injection Modifies control flow of a process running from a created or modified executable 1 -
• (Process #3) doqqx.exe alters context of (process #8) doqqx.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Opera, WinSCP, TightVNC, Cyberfox, Flock, Ipswitch WS_FTP, OpenVPN, TigerVNC, FTP Navigator, Microsoft Outlook, Pocomail, FileZilla, k- Meleon, SeaMonkey, BlackHawk, Opera Mail, Mozilla Thunderbird, IncrediMail, CoreFTP, Internet Download Manager, Postbox, The Bat!, Internet Explorer / Edge, Comodo IceDragon, Internet Explorer, Mozilla Firefox.
4/5 Execution Document tries to create process 3 -
• Document creates (process #2) eqnedt32.exe.
• Document creates (process #6) doqqx.exe.
• Document creates (process #8) doqqx.exe.
4/5 Obfuscation Reads from memory of another process 2 -
• (Process #3) doqqx.exe reads from (process #6) doqqx.exe.
• (Process #3) doqqx.exe reads from (process #8) doqqx.exe.
4/5 Discovery Queries OS version via WMI 1 -
• (Process #8) doqqx.exe queries OS version via WMI.
4/5 Discovery Executes WMI query 2 -
• (Process #8) doqqx.exe executes WMI query: select * from Win32_OperatingSystem.
• (Process #8) doqqx.exe executes WMI query: SELECT * FROM Win32_Processor.
4/5 Discovery Collects hardware properties 1 -
• (Process #8) doqqx.exe queries hardware properties via WMI.
4/5 Exploit Possible exploitation attempt 1 Exploit
• Office document may try to exploit a common vulnerability or exposure (CVE): CVE-2018-0798.
4/5 Network Connection Performs DNS request 1 -
• (Process #8) doqqx.exe resolves host name "sixjan.club" to IP "162.213.251.182".
4/5 Network Connection Connects to remote host 1 -
• (Process #8) doqqx.exe opens an outgoing TCP connection to host "162.213.251.182:587".
4/5 Network Connection Downloads executable 1 Downloader
• (Process #2) eqnedt32.exe downloads executable via http from http://31.210.20.6/RT/Aeunsul.exe.
4/5 Network Connection Attempts to connect through HTTP 1 -
• (Process #2) eqnedt32.exe connects to "http://31.210.20.6/RT/Aeunsul.exe".
X-Ray Vision for Malware - www.vmray.com 2 / 30 DYNAMIC ANALYSIS REPORT #1337459
4/5 Network Connection Tries to connect using an uncommon port 1 -
• (Process #8) doqqx.exe tries to connect to TCP port 587 at 162.213.251.182.
4/5 Antivirus Malicious content was detected by heuristic scan 2 -
• Built-in AV detected the embedded file oleObject1.bin as "Exploit.CVE-2018-0802.Gen".
• Built-in AV detected the sample itself as "Exploit.CVE-2018-0802.Gen".
3/5 Discovery Enumerates running processes 1 -
• (Process #3) doqqx.exe enumerates running processes.
2/5 Data Collection Reads sensitive browser data 9 -
• (Process #8) doqqx.exe tries to read sensitive data of web browser "Opera" by file.
• (Process #8) doqqx.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #8) doqqx.exe tries to read sensitive data of web browser "BlackHawk" by file.
• (Process #8) doqqx.exe tries to read sensitive data of web browser "Cyberfox" by file.
• (Process #8) doqqx.exe tries to read sensitive data of web browser "Comodo IceDragon" by file.
• (Process #8) doqqx.exe tries to read sensitive data of web browser "k-Meleon" by file.
• (Process #8) doqqx.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
• (Process #8) doqqx.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.
• (Process #8) doqqx.exe tries to read sensitive data of web browser "Flock" by file.
2/5 Data Collection Reads sensitive ftp data 5 -
• (Process #8) doqqx.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
• (Process #8) doqqx.exe tries to read sensitive data of ftp application "CoreFTP" by file.
• (Process #8) doqqx.exe tries to read sensitive data of ftp application "CoreFTP" by registry.
• (Process #8) doqqx.exe tries to read sensitive data of ftp application "FileZilla" by file.
• (Process #8) doqqx.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file.
2/5 Discovery Possibly does reconnaissance 22 -
• (Process #8) doqqx.exe tries to gather information about application "FTP Navigator" by file.
• (Process #8) doqqx.exe tries to gather information about application "SeaMonkey" by file.
• (Process #8) doqqx.exe tries to gather information about application "RealVNC" by registry.
• (Process #8) doqqx.exe tries to gather information about application "TightVNC" by registry.
• (Process #8) doqqx.exe tries to gather information about application "TigerVNC" by registry.
• (Process #8) doqqx.exe tries to gather information about application "CoreFTP" by file.
• (Process #8) doqqx.exe tries to gather information about application "Opera Mail" by file.
• (Process #8) doqqx.exe tries to gather information about application "FileZilla" by file.
• (Process #8) doqqx.exe tries to gather information about application "Pocomail" by file.
• (Process #8) doqqx.exe tries to gather information about application "icecat" by file.
• (Process #8) doqqx.exe tries to gather information about application "blackHawk" by file.
• (Process #8) doqqx.exe tries to gather information about application "WS_FTP" by file.
• (Process #8) doqqx.exe tries to gather information about application "Qualcomm Eudora" by registry.
• (Process #8) doqqx.exe tries to gather information about application "Cyberfox" by file.
• (Process #8) doqqx.exe tries to gather information about application "Comodo IceDragon" by file.
• (Process #8) doqqx.exe tries to gather information about application "k-Meleon" by file.
• (Process #8) doqqx.exe tries to gather information about application "The Bat!" by file.
• (Process #8) doqqx.exe tries to gather information about application "WinSCP" by registry.
• (Process #8) doqqx.exe tries to gather information about application "Postbox" by file.
• (Process #8) doqqx.exe tries to gather information about application "Mozilla Firefox" by file.
• (Process #8) doqqx.exe tries to gather information about application "Flock" by file.
• (Process #8) doqqx.exe tries to gather information about application "Foxmail" by registry.
X-Ray Vision for Malware - www.vmray.com 3 / 30 DYNAMIC ANALYSIS REPORT #1337459
2/5 Data Collection Reads sensitive mail data 7 -
• (Process #8) doqqx.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.
• (Process #8) doqqx.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #8) doqqx.exe tries to read sensitive data of mail application "Pocomail" by file.
• (Process #8) doqqx.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
• (Process #8) doqqx.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #8) doqqx.exe tries to read sensitive data of mail application "The Bat!" by file.
• (Process #8) doqqx.exe tries to read sensitive data of mail application "Postbox" by file.
2/5 Data Collection Reads sensitive application data 6 -
• (Process #8) doqqx.exe tries to read sensitive data of application "SeaMonkey" by file.
• (Process #8) doqqx.exe tries to read sensitive data of application "TightVNC" by registry.
• (Process #8) doqqx.exe tries to read sensitive data of application "TigerVNC" by registry.
• (Process #8) doqqx.exe tries to read sensitive data of application "OpenVPN" by registry.
• (Process #8) doqqx.exe tries to read sensitive data of application "WinSCP" by registry.
• (Process #8) doqqx.exe tries to read sensitive data of application "Internet Download Manager" by registry.
2/5 Discovery Reads network adapter information 1 -
• (Process #8) doqqx.exe reads the network adapters' addresses by API.
2/5 Heuristics Contains known suspicious class identifier 1 -
• Office document contains suspicious class identifier for ActiveX object "Equation2" (CLSID {0002CE02-0000-0000-C000-000000000046}).
2/5 Heuristics Signed executable failed signature validation 1 -
• C:\Users\kEecfMwgj\doqqx.exe is signed, but signature validation failed.
X-Ray Vision for Malware - www.vmray.com 4 / 30 DYNAMIC ANALYSIS REPORT #1337459
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1057 ------Process - - - - - Discovery
#T1119 ------Automated - - - Collection
#T1081 - - - - - Credentials ------in Files
#T1083 File and ------Directory Discovery
#T1005 Data ------from Local - - - System
#T1012 ------Query - - - - - Registry
#T1214 - - - - - Credentials ------in Registry
#T1003 - - - - - Credential ------Dumping
#T1047 Windows - Management ------Instrumentati on
#T1082 System ------Information Discovery
#T1016 System ------Network - - - - - Configuratio n Discovery
#T1203 Exploitation ------for Client Execution
#T1071 Standard ------Application - - Layer Protocol
#T1105 #T1105 ------Remote File - Remote File - - Copy Copy
#T1065 ------Uncommonly - - Used Port
X-Ray Vision for Malware - www.vmray.com 5 / 30 DYNAMIC ANALYSIS REPORT #1337459
Sample Information
ID 1337459
MD5 596b83a169467280b5e047f498eeaa33
SHA1 4d36aad5a72e14082ec57274921f503a9ae29aa1
SHA256 9b5645b0f5e2fbbb8ec8c45c1a4e82922f73a7b6c28dbc6c5f397ad9bda83f77
SSDeep 768:pG7cMx4dTVuspEbjrTiLV4fzJsf7/Ov8T/POQQXIGA9+OlQG/8:XVuXfY4fz0dHOcMyo
ImpHash
Filename homefarmanteroom9b56459b5645b0f5e2fbbb8ec8c45c1a4e82922f73a7b6c28dbc6c5f397ad9bda83f77.xls
File Size 37.63 KB
Sample Type Excel Document
Has Macros
Analysis Information
Creation Time 2021-05-07 20:08 (UTC+2)
Analysis Duration 00:04:10
Termination Reason Timeout
Number of Monitored Processes 7
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 2
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 0
X-Ray Vision for Malware - www.vmray.com 6 / 30 DYNAMIC ANALYSIS REPORT #1337459
X-Ray Vision for Malware - www.vmray.com 7 / 30 DYNAMIC ANALYSIS REPORT #1337459
Screenshots trunkated.
X-Ray Vision for Malware - www.vmray.com 8 / 30 DYNAMIC ANALYSIS REPORT #1337459
NETWORK
General
1.63 KB total sent
463.70 KB total received
2 ports 80, 587
3 contacted IP addresses
0 URLs extracted
1 files downloaded
0 malicious hosts detected
DNS
1 DNS requests for 1 domains
1 nameservers contacted
0 total requests returned errors
HTTP/S
1 URLs contacted, 1 servers
1 sessions, 444 bytes sent, 462.70 KB recivied
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
A sixjan.club NoError 162.213.251.182 N/A
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
http://31.210.20.6/RT/ GET 0 bytes N/A Aeunsul.exe
X-Ray Vision for Malware - www.vmray.com 9 / 30 DYNAMIC ANALYSIS REPORT #1337459
BEHAVIOR
Process Graph
#6 doqqx.exe Child Process
#7 Child Process doqqx.exe
#2 Child Process #3 eqnedt32.exe doqqx.exe Modify Memory RPC Server
Modify Control Flow #8 #1 Sample Start Child Process doqqx.exe excel.exe #4 Child Process eqnedt32.exe
X-Ray Vision for Malware - www.vmray.com 10 / 30 DYNAMIC ANALYSIS REPORT #1337459
Process #1: excel.exe
ID 1
Filename c:\program files (x86)\microsoft office\root\office16\excel.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 59273, Reason: Analysis Target
Unmonitor End Time End Time: 317609, Reason: Terminated by Timeout
Monitor Duration 258.34s
Return Code Unknown
PID 3788
Parent PID 1120
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 11 / 30 DYNAMIC ANALYSIS REPORT #1337459
Process #2: eqnedt32.exe
ID 2
Filename c:\program files (x86)\microsoft office\root\vfs\programfilescommonx86\microsoft shared\equation\eqnedt32.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 81137, Reason: RPC Server
Unmonitor End Time End Time: 93787, Reason: Terminated
Monitor Duration 12.65s
Return Code 0
PID 2920
Parent PID 584
Bitness 32 Bit
Dropped Files (1)
Filename File Size SHA256 YARA Match
c3bf2dd2d53f2ac2dcf5e59aa8d234efdf24fb7f - 448.30 KB 5eca9e2a9cb1a4536979bed4
Host Behavior
Type Count
Module 6
File 1
Process 1
Network Behavior
Type Count
HTTP 1
TCP 1
X-Ray Vision for Malware - www.vmray.com 12 / 30 DYNAMIC ANALYSIS REPORT #1337459
Process #3: doqqx.exe
ID 3
Filename c:\users\keecfmwgj\doqqx.exe
Command Line "C:\Users\kEecfMwgj\doqqx.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 91045, Reason: Child Process
Unmonitor End Time End Time: 156516, Reason: Terminated
Monitor Duration 65.47s
Return Code 0
PID 2876
Parent PID 2920
Bitness 32 Bit
Dropped Files (1)
Filename File Size SHA256 YARA Match
C: c3bf2dd2d53f2ac2dcf5e59aa8d234efdf24fb7f \Users\kEecfMwgj\AppData\Local\Temp\doqq 448.30 KB 5eca9e2a9cb1a4536979bed4 x.exe
Host Behavior
Type Count
Registry 17
Module 25
File 22
System 523
User 1
Process 318
- 5
- 11
X-Ray Vision for Malware - www.vmray.com 13 / 30 DYNAMIC ANALYSIS REPORT #1337459
Process #4: eqnedt32.exe
ID 4
Filename c:\program files (x86)\microsoft office\root\vfs\programfilescommonx86\microsoft shared\equation\eqnedt32.exe
Command Line "C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe" -Embedding
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 92743, Reason: Child Process
Unmonitor End Time End Time: 95490, Reason: Terminated
Monitor Duration 2.75s
Return Code 0
PID 2864
Parent PID 3788
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 14 / 30 DYNAMIC ANALYSIS REPORT #1337459
Process #6: doqqx.exe
ID 6
Filename c:\users\keecfmwgj\appdata\local\temp\doqqx.exe
Command Line C:\Users\kEecfMwgj\AppData\Local\Temp\doqqx.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 152994, Reason: Child Process
Unmonitor End Time End Time: 154228, Reason: Terminated
Monitor Duration 1.23s
Return Code 4294967295
PID 2168
Parent PID 2876
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 15 / 30 DYNAMIC ANALYSIS REPORT #1337459
Process #7: doqqx.exe
ID 7
Filename c:\users\keecfmwgj\appdata\local\temp\doqqx.exe
Command Line C:\Users\kEecfMwgj\AppData\Local\Temp\doqqx.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 153221, Reason: Child Process
Unmonitor End Time End Time: 154364, Reason: Terminated
Monitor Duration 1.14s
Return Code 4294967295
PID 2164
Parent PID 2876
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 16 / 30 DYNAMIC ANALYSIS REPORT #1337459
Process #8: doqqx.exe
ID 8
Filename c:\users\keecfmwgj\appdata\local\temp\doqqx.exe
Command Line C:\Users\kEecfMwgj\AppData\Local\Temp\doqqx.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 153319, Reason: Child Process
Unmonitor End Time End Time: 317609, Reason: Terminated by Timeout
Monitor Duration 164.29s
Return Code Unknown
PID 2156
Parent PID 2876
Bitness 32 Bit
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#3: c: Modify Memory \users\keecfmwgj\doqqx 0xb38 0x400000(4194304) 0x200 1 .exe
#3: c: Modify Memory \users\keecfmwgj\doqqx 0xb38 0x402000(4202496) 0x35800 1 .exe
#3: c: Modify Memory \users\keecfmwgj\doqqx 0xb38 0x438000(4423680) 0x600 1 .exe
#3: c: Modify Memory \users\keecfmwgj\doqqx 0xb38 0x43a000(4431872) 0x200 1 .exe
#3: c: 0x7efde008(213056717 Modify Memory \users\keecfmwgj\doqqx 0xb38 0x4 1 6) .exe
#3: c: Modify Control Flow \users\keecfmwgj\doqqx 0xb38 / 0x870 - 1 .exe
Host Behavior
Type Count
Registry 124
File 128
Module 61
Window 6
System 17
User 4
- 30
COM 52
Environment 26
- 2
Mutex 2
X-Ray Vision for Malware - www.vmray.com 17 / 30 DYNAMIC ANALYSIS REPORT #1337459
Network Behavior
Type Count
DNS 1
TCP 1
X-Ray Vision for Malware - www.vmray.com 18 / 30 DYNAMIC ANALYSIS REPORT #1337459
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
C: \Users\kEecfMwgj\Deskt 9b5645b0f5e2fbbb8ec8 application/ op\homefarmanteroom9 c45c1a4e82922f73a7b6 vnd.openxmlformats- b56459b5645b0f5e2fbb Sample File 37.63 KB MALICIOUS c28dbc6c5f397ad9bda8 officedocument.spreads b8ec8c45c1a4e82922f7 3f77 heetml.sheet 3a7b6c28dbc6c5f397ad 9bda83f77.xls
C: \Users\kEecfMwgj\AppD ata\Roaming\Microsoft\ Windows\Start Menu\Programs\nodpad c3bf2dd2d53f2ac2dcf5e \nodpad\nodpad\nodpad application/ 59aa8d234efdf24fb7f5e \nodpad\nodpad\nodpad Downloaded File 448.30 KB vnd.microsoft.portable- Write, Access, Create MALICIOUS ca9e2a9cb1a4536979b .exe, C: executable ed4 \Users\kEecfMwgj\AppD ata\Local\Temp\doqqx.e xe, C: \Users\kEecfMwgj\doqq x.exe
e42daf16b30d6b6b3a2f 141d3456dd5f90137068 oleObject1.bin Embedded File 4.00 KB application/CDFV2 MALICIOUS 912f26821e12146ba452 874b
0deb546e5d348d1f5849 d96beb8be879628292b Embedded File 1.73 KB application/octet-stream CLEAN 36d8998e9f5ad2cc2e4e dcd3e
79fe5f5eafcd93d0d2feb 56f4e47a9de38fbb6c71 image1.jpg Embedded File 27.94 KB image/jpeg CLEAN 31e2552f65dca2409c91 267
Filename
Filename Category Operations Verdict
C:\Users\kEecfMwgj\doqqx.exe Downloaded File Access, Create CLEAN
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config
C: \Users\kEecfMwgj\AppData\Roaming\Microso ft\Windows\Start Accessed File Access, Create CLEAN Menu\Programs\nodpad\nodpad\nodpad\nod pad\nodpad\nodpad
C: \Users\kEecfMwgj\AppData\Roaming\Microso ft\Windows\Start Accessed File Access, Create CLEAN Menu\Programs\nodpad\nodpad\nodpad\nod pad\nodpad
C: \Users\kEecfMwgj\AppData\Roaming\Microso ft\Windows\Start Accessed File Access, Create CLEAN Menu\Programs\nodpad\nodpad\nodpad\nod pad
C: \Users\kEecfMwgj\AppData\Roaming\Microso Accessed File Access, Create CLEAN ft\Windows\Start Menu\Programs\nodpad\nodpad\nodpad
C: \Users\kEecfMwgj\AppData\Roaming\Microso Accessed File Access, Create CLEAN ft\Windows\Start Menu\Programs\nodpad\nodpad
C: \Users\kEecfMwgj\AppData\Roaming\Microso Accessed File Access, Create CLEAN ft\Windows\Start Menu\Programs\nodpad
C: \Users\kEecfMwgj\AppData\Roaming\Microso Accessed File Access CLEAN ft\Windows\Start Menu\Programs
X-Ray Vision for Malware - www.vmray.com 19 / 30 DYNAMIC ANALYSIS REPORT #1337459
Filename Category Operations Verdict
C: \Users\kEecfMwgj\AppData\Roaming\Microso ft\Windows\Start Downloaded File Write, Access, Create CLEAN Menu\Programs\nodpad\nodpad\nodpad\nod pad\nodpad\nodpad\nodpad.exe
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\Itself.exe
C: \Users\kEecfMwgj\AppData\Local\Temp\doqq Downloaded File Write, Access, Create CLEAN x.exe
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Read, Access CLEAN 319\Config\machine.config
C: \Users\kEecfMwgj\AppData\Local\Temp\doqq Accessed File Access CLEAN x.exe.config
C: \Users\kEecfMwgj\AppData\Local\Vivaldi\Use Accessed File Access CLEAN r Data
C: \Users\kEecfMwgj\AppData\Local\Chromium\ Accessed File Access CLEAN User Data
C: \Users\kEecfMwgj\AppData\Local\Yandex\Ya Accessed File Access CLEAN ndexBrowser\User Data
C: \Users\kEecfMwgj\AppData\Local\Orbitum\Us Accessed File Access CLEAN er Data
C: \Users\kEecfMwgj\AppData\Local\liebao\User Accessed File Access CLEAN Data
C: \Users\kEecfMwgj\AppData\Local\7Star\7Star Accessed File Access CLEAN \User Data
C: \Users\kEecfMwgj\AppData\Local\Chedot\Us Accessed File Access CLEAN er Data
C: \Users\kEecfMwgj\AppData\Local\Coowon\C Accessed File Access CLEAN oowon\User Data
C:\Users\kEecfMwgj\AppData\Local\Elements Accessed File Access CLEAN Browser\User Data
C: \Users\kEecfMwgj\AppData\Local\CocCoc\Br Accessed File Access CLEAN owser\User Data
C: \Users\kEecfMwgj\AppData\Local\Iridium\Use Accessed File Access CLEAN r Data
C:\Users\kEecfMwgj\AppData\Local\Epic Accessed File Access CLEAN Privacy Browser\User Data
C: \Users\kEecfMwgj\AppData\Roaming\Opera Accessed File Access CLEAN Software\Opera Stable
C: \Users\kEecfMwgj\AppData\Local\Kometa\Us Accessed File Access CLEAN er Data
C: \Users\kEecfMwgj\AppData\Local\uCozMedia Accessed File Access CLEAN \Uran\User Data
C:\Users\kEecfMwgj\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumView Accessed File Access CLEAN er
C:\Users\kEecfMwgj\AppData\Local\QIP Accessed File Access CLEAN Surf\User Data
X-Ray Vision for Malware - www.vmray.com 20 / 30 DYNAMIC ANALYSIS REPORT #1337459
Filename Category Operations Verdict
C: \Users\kEecfMwgj\AppData\Local\360Chrom Accessed File Access CLEAN e\Chrome\User Data
C: \Users\kEecfMwgj\AppData\Local\CentBrows Accessed File Access CLEAN er\User Data
C: \Users\kEecfMwgj\AppData\Local\Comodo\Dr Accessed File Access CLEAN agon\User Data
C: \Users\kEecfMwgj\AppData\Local\CatalinaGr Accessed File Access CLEAN oup\Citrio\User Data
C: \Users\kEecfMwgj\AppData\Local\MapleStudi Accessed File Access CLEAN o\ChromePlus\User Data
C: \Users\kEecfMwgj\AppData\Local\Amigo\Use Accessed File Access CLEAN r Data
C: \Users\kEecfMwgj\AppData\Local\Sputnik\Sp Accessed File Access CLEAN utnik\User Data
C: \Users\kEecfMwgj\AppData\Local\Torch\User Accessed File Access CLEAN Data
C: \Users\kEecfMwgj\AppData\Local\BraveSoftw Accessed File Access CLEAN are\Brave-Browser\User Data
C:\Windows\system32\Folder.lst Accessed File Access CLEAN
C:\FTP Navigator\Ftplist.txt Accessed File Access CLEAN
C: \Users\kEecfMwgj\AppData\Roaming\Thunde Accessed File Access CLEAN rbird\profiles.ini
C: \Users\kEecfMwgj\AppData\Roaming\Trillian\ Accessed File Access CLEAN users\global\accounts.dat
C:\Users\kEecfMwgj\AppData\Roaming\eM Accessed File Access CLEAN Client
C: \Users\kEecfMwgj\AppData\Roaming\Mozilla\ Accessed File Access CLEAN SeaMonkey\profiles.ini
C:\Program Files (x86)\uvnc Accessed File Access CLEAN bvba\UltraVNC\ultravnc.ini
C:\Program Files (x86)\UltraVNC\ultravnc.ini Accessed File Access CLEAN
C: \Users\kEecfMwgj\AppData\Roaming\CoreFT Accessed File Access CLEAN P\sites.idx
C: \Users\kEecfMwgj\AppData\Roaming\Opera Accessed File Access CLEAN Mail\Opera Mail\wand.dat
C: \Users\kEecfMwgj\AppData\Roaming\Moonch Accessed File Access CLEAN ild Productions\Pale Moon\profiles.ini
C: \Users\kEecfMwgj\AppData\Roaming\FileZilla Accessed File Access CLEAN \recentservers.xml
C: \Users\kEecfMwgj\AppData\Local\Microsoft\E Accessed File Access CLEAN dge\User Data
C: \Users\kEecfMwgj\AppData\Roaming\Pocom Accessed File Access CLEAN ail\accounts.ini
C: \Users\kEecfMwgj\AppData\Roaming\Mozilla\ Accessed File Access CLEAN icecat\profiles.ini
X-Ray Vision for Malware - www.vmray.com 21 / 30 DYNAMIC ANALYSIS REPORT #1337459
Filename Category Operations Verdict
C: \Users\kEecfMwgj\AppData\Roaming\Claws- Accessed File Access CLEAN mail
C: \Users\kEecfMwgj\AppData\Roaming\Claws- Accessed File Access CLEAN mail\clawsrc
C: \Users\kEecfMwgj\AppData\Roaming\MySQL Accessed File Access CLEAN \Workbench\workbench_user_data.dat
C: \Users\kEecfMwgj\AppData\Roaming\Psi\prof Accessed File Access CLEAN iles
C:\Users\kEecfMwgj\AppData\Roaming\Psi+ Accessed File Access CLEAN \profiles
C: \Users\kEecfMwgj\AppData\Roaming\NETGA Accessed File Access CLEAN TE Technologies\BlackHawk\profiles.ini
C: \Users\kEecfMwgj\AppData\Roaming\Waterfo Accessed File Access CLEAN x\profiles.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.da Accessed File Access CLEAN t
C: \Users\kEecfMwgj\AppData\Roaming\Ipswitc Accessed File Access CLEAN h\WS_FTP\Sites\ws_ftp.ini
C: \Users\kEecfMwgj\AppData\Local\falkon\profil Accessed File Access CLEAN es\profiles.ini
C: \Users\kEecfMwgj\AppData\Local\Mailbird\St Accessed File Access CLEAN ore\Store.db
C:\Program Files (x86)\Common Files\Apple\Apple Application Accessed File Access CLEAN Support\plutil.exe
C:\Program Files Accessed File Access CLEAN (x86)\jDownloader\config\database.script
C: \Users\kEecfMwgj\AppData\Roaming\8pecxst Accessed File Access CLEAN udios\Cyberfox\profiles.ini
C: \Users\kEecfMwgj\AppData\Roaming\Comod Accessed File Access CLEAN o\IceDragon\profiles.ini
C:\Users\kEecfMwgj\AppData\Roaming\K- Accessed File Access CLEAN Meleon\profiles.ini
C:\cftp\Ftplist.txt Accessed File Access CLEAN
C: \Users\kEecfMwgj\AppData\Local\Google\Chr Accessed File Access CLEAN ome\User Data\
C:\Users\kEecfMwgj\AppData\Roaming\The Accessed File Access CLEAN Bat!
C: \Users\kEecfMwgj\AppData\Roaming\Postbo Accessed File Access CLEAN x\profiles.ini
C: Accessed File Access CLEAN \Users\kEecfMwgj\AppData\Local\NordVPN
C: \Users\kEecfMwgj\AppData\Local\Microsoft\C Accessed File Access CLEAN redentials\
C: \Users\kEecfMwgj\AppData\Roaming\Microso Accessed File Access CLEAN ft\Credentials\
C: \Users\kEecfMwgj\AppData\Roaming\Mozilla\ Accessed File Access CLEAN Firefox\profiles.ini
X-Ray Vision for Malware - www.vmray.com 22 / 30 DYNAMIC ANALYSIS REPORT #1337459
Filename Category Operations Verdict
C: \Users\kEecfMwgj\AppData\Roaming\FTPGet Accessed File Access CLEAN ter\servers.xml
C: \Users\kEecfMwgj\AppData\Roaming\Flock\B Accessed File Access CLEAN rowser\profiles.ini
C: \Users\kEecfMwgj\AppData\Local\Tencent\Q Accessed File Access CLEAN QBrowser\User Data
C: \Users\kEecfMwgj\AppData\Local\Tencent\Q Accessed File Access CLEAN QBrowser\User Data\Default\EncryptedStorage
C:\Storage\ Accessed File Access CLEAN
C:\mail\ Accessed File Access CLEAN
C: \Users\kEecfMwgj\AppData\Local\VirtualStor Accessed File Access CLEAN e\Program Files\Foxmail\mail\
C: \Users\kEecfMwgj\AppData\Local\VirtualStor Accessed File Access CLEAN e\Program Files (x86)\Foxmail\mail\
C:\Program Files\Private Internet Access\data Accessed File Access CLEAN
C:\Private Internet Access\data Accessed File Access CLEAN
URL
URL Category IP Address Country HTTP Methods Verdict
http://31.210.20.6/RT/ 31.210.20.6 GET CLEAN Aeunsul.exe
Domain
Domain IP Address Country Protocols Verdict
sixjan.club 162.213.251.182 DNS CLEAN
IP
IP Address Domains Country Protocols Verdict
162.213.251.182 sixjan.club United States DNS, TCP MALICIOUS
192.168.0.1 - DNS, UDP CLEAN
31.210.20.6 United States TCP, HTTP CLEAN
-
Email Address
-
Mutex
-
X-Ray Vision for Malware - www.vmray.com 23 / 30 DYNAMIC ANALYSIS REPORT #1337459
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access doqqx.exe CLEAN Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access doqqx.exe CLEAN Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access doqqx.exe CLEAN Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access doqqx.exe CLEAN Zones\W. Europe Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access doqqx.exe CLEAN Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access doqqx.exe CLEAN Zones\W. Europe Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access doqqx.exe CLEAN osoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE access doqqx.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Shell access doqqx.exe CLEAN Folders
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Shell write, read, access doqqx.exe CLEAN Folders\Startup
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\User Shell access doqqx.exe CLEAN Folders
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\User Shell write, read, access doqqx.exe CLEAN Folders\Startup
HKEY_PERFORMANCE_DATA access doqqx.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft access doqqx.exe CLEAN \.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft \.NETFramework\DbgJITDebugLaunchSettin read, access doqqx.exe CLEAN g
HKEY_LOCAL_MACHINE\Software\Microsoft read, access doqqx.exe CLEAN \.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft access doqqx.exe CLEAN \Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft read, access doqqx.exe CLEAN \Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access doqqx.exe CLEAN osoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\HWRPortR read, access doqqx.exe CLEAN euseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access doqqx.exe CLEAN t.ServicePointManager.UseHttpPipeliningAnd BufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseHttpPip read, access doqqx.exe CLEAN eliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access doqqx.exe CLEAN t.ServicePointManager.UseSafeSynchronous Close
X-Ray Vision for Malware - www.vmray.com 24 / 30 DYNAMIC ANALYSIS REPORT #1337459
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseSafeSy read, access doqqx.exe CLEAN nchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access doqqx.exe CLEAN t.ServicePointManager.UseStrictRfcInterimRe sponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseStrictRf read, access doqqx.exe CLEAN cInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access doqqx.exe CLEAN .AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\AllowDang read, access doqqx.exe CLEAN erousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access doqqx.exe CLEAN .UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseStrictIP read, access doqqx.exe CLEAN v6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access doqqx.exe CLEAN .AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\AllowAllUri read, access doqqx.exe CLEAN EncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr read, access doqqx.exe CLEAN ongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access doqqx.exe CLEAN t.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchSendA read, access doqqx.exe CLEAN uxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SystemDef read, access doqqx.exe CLEAN aultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access doqqx.exe CLEAN t.ServicePointManager.RequireCertificateEK Us
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\RequireCe read, access doqqx.exe CLEAN rtificateEKUs
HKEY_LOCAL_MACHINE\Software\Microsoft access doqqx.exe CLEAN \Wbem\Scripting
HKEY_LOCAL_MACHINE\Software\Microsoft read, access doqqx.exe CLEAN \Wbem\Scripting\Default Impersonation Level
HKEY_LOCAL_MACHINE\Software\Microsoft read, access doqqx.exe CLEAN \Wbem\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\WMIDisabl read, access doqqx.exe CLEAN eCOMSecurity
HKEY_CURRENT_USER\Software\RimArts\ access doqqx.exe CLEAN B2\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow access doqqx.exe CLEAN 6432Node\RealVNC\WinVNC4
HKEY_CURRENT_USER\SOFTWARE\Wow access doqqx.exe CLEAN 6432Node\RealVNC\WinVNC4
HKEY_LOCAL_MACHINE\SOFTWARE\Real access doqqx.exe CLEAN VNC\vncserver
X-Ray Vision for Malware - www.vmray.com 25 / 30 DYNAMIC ANALYSIS REPORT #1337459
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\SOFTWARE\Real access doqqx.exe CLEAN VNC\vncserver
HKEY_LOCAL_MACHINE\SOFTWARE\Real access doqqx.exe CLEAN VNC\WinVNC4
HKEY_CURRENT_USER\SOFTWARE\Real access doqqx.exe CLEAN VNC\WinVNC4
HKEY_LOCAL_MACHINE\Software\ORL\Win access doqqx.exe CLEAN VNC3
HKEY_CURRENT_USER\Software\ORL\Win access doqqx.exe CLEAN VNC3
HKEY_LOCAL_MACHINE\Software\TightVN access doqqx.exe CLEAN C\Server
HKEY_CURRENT_USER\Software\TightVNC access doqqx.exe CLEAN \Server
HKEY_LOCAL_MACHINE\Software\TigerVN access doqqx.exe CLEAN C\Server
HKEY_CURRENT_USER\Software\TigerVN access doqqx.exe CLEAN C\Server
HKEY_CURRENT_USER\Software\FTPWare read, access doqqx.exe CLEAN \COREFTP\Sites\Host
HKEY_CURRENT_USER\Software\Qualcom access doqqx.exe CLEAN m\Eudora\CommandLine
HKEY_CURRENT_USER\Software\Microsoft \Office\15.0\Outlook\Profiles\Outlook\9375CF access doqqx.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows Messaging access doqqx.exe CLEAN Subsystem\Profiles\Outlook\9375CFF041311 1d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Windows Messaging access doqqx.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88 A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access doqqx.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000001\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email
X-Ray Vision for Malware - www.vmray.com 26 / 30 DYNAMIC ANALYSIS REPORT #1337459
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000003\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access doqqx.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ SMTP Password
HKEY_CURRENT_USER\Software\IncrediM access doqqx.exe CLEAN ail\Identities
HKEY_CURRENT_USER\Software\OpenVP access doqqx.exe CLEAN N-GUI\configs
HKEY_CURRENT_USER\SOFTWARE\Marti access doqqx.exe CLEAN n Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\Downloa access doqqx.exe CLEAN dManager\Passwords
HKEY_CURRENT_USER\Software\Aerofox\ access doqqx.exe CLEAN FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\ access doqqx.exe CLEAN Foxmail\V3.1
Process
Process Name Commandline Verdict
doqqx.exe "C:\Users\kEecfMwgj\doqqx.exe" MALICIOUS
"C:\Program Files (x86)\Microsoft eqnedt32.exe Office\Root\VFS\ProgramFilesCommonX86\Microsoft SUSPICIOUS Shared\EQUATION\EQNEDT32.EXE" -Embedding
doqqx.exe C:\Users\kEecfMwgj\AppData\Local\Temp\doqqx.exe SUSPICIOUS
"C:\Program Files (x86)\Microsoft excel.exe CLEAN Office\Root\Office16\EXCEL.EXE"
X-Ray Vision for Malware - www.vmray.com 27 / 30 DYNAMIC ANALYSIS REPORT #1337459
Process Name Commandline Verdict
"C:\Program Files (x86)\Microsoft eqnedt32.exe Office\root\VFS\ProgramFilesCommonX86\Microsoft CLEAN Shared\EQUATION\eqnedt32.exe" -Embedding
X-Ray Vision for Malware - www.vmray.com 28 / 30 DYNAMIC ANALYSIS REPORT #1337459
YARA / AV
Antivirus (2)
File Type Threat Name Filename Verdict
C: \Users\kEecfMwgj\Desktop\homefarmanteroo SAMPLE Exploit.CVE-2018-0802.Gen MALICIOUS m9b56459b5645b0f5e2fbbb8ec8c45c1a4e82 922f73a7b6c28dbc6c5f397ad9bda83f77.xls
EMBEDDED Exploit.CVE-2018-0802.Gen oleObject1.bin MALICIOUS
X-Ray Vision for Malware - www.vmray.com 29 / 30 DYNAMIC ANALYSIS REPORT #1337459
ENVIRONMENT
Virtual Machine Information
Name win7_64_sp1_en_mso2016
Description win7_64_sp1_en_mso2016
Architecture x86 64-bit
Operating System Windows 7
Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-05-07 15:18:55+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 8.0.7601.17514
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 30 / 30