DOCSLIB.ORG

MALICIOUS Threat Names: C2/Generic-A

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
MALICIOUS Threat Names: C2/Generic-A DYNAMIC ANALYSIS REPORT #1298037 Classifications: Spyware MALICIOUS Threat Names: C2/Generic-A Verdict Reason: - Sample Type Windows Exe (x86-32) Sample Name Kvfwecxf.OR3.exe ID #451118 MD5 aa4ac54f3132c970ded1551ef80872d6 SHA1 1d9bd7dac63323412ef02cba15acfa9632406b3d SHA256 275a1d8d7ae6503b4aac7a8636bcab66e3bfa0bb57215a1e1205107c1e854809 File Size 292.00 KB Report Created 2021-05-03 09:37 (UTC+2) Target Environment win7_64_sp1_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 53 DYNAMIC ANALYSIS REPORT #1298037 OVERVIEW VMRay Threat Identifiers (29 rules, 88 matches) Score Category Operation Count Classification 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Flock, Mozilla Firefox, Microsoft Outlook, Opera Mail, Opera, Ipswitch WS_FTP, k-Meleon, Internet Explorer, Postbox, TigerVNC, Pocomail, Internet Download Manager, BlackHawk, Cyberfox, IncrediMail, The Bat!, TightVNC, Comodo IceDragon, FileZilla, WinSCP, Internet Explorer / Edge, CoreFTP, OpenVPN, SeaMonkey, Mozilla Thunderbird, FTP Navigator. 4/5 Defense Evasion Tries to disable antivirus software 2 - • (Process #21) sc.exe stops a service related to Windows Defender via ControlService (API). • (Process #2) advancedrun.exe stops a service related to Windows Defender via the sc.exe utility. 4/5 Reputation Contacts known malicious IP address 1 - • Reputation analysis labels the contacted IP address 208.91.198.143 as "C2/Generic-A". 2/5 Privilege Escalation Enables critical process privilege 2 - • (Process #2) advancedrun.exe enables critical process privilege "SeImpersonatePrivilege". • (Process #22) advancedrun.exe enables critical process privilege "SeImpersonatePrivilege". 2/5 Hide Tracks Deletes file after execution 1 - • (Process #1) kvfwecxf.or3.exe deletes executed executable "c:\users\keecfmwgj\appdata\local\temp\advancedrun.exe". 2/5 Data Collection Reads sensitive browser data 9 - • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Opera" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "BlackHawk" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Mozilla Firefox" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Flock" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "k-Meleon" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Cyberfox" by file. • (Process #25) kvfwecxf.or3.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Comodo IceDragon" by file. 2/5 Data Collection Reads sensitive application data 6 - • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "TightVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "TigerVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "SeaMonkey" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "OpenVPN" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "WinSCP" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "Internet Download Manager" by registry. 2/5 Data Collection Reads sensitive mail data 7 - X-Ray Vision for Malware - www.vmray.com 2 / 53 DYNAMIC ANALYSIS REPORT #1298037 • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Opera Mail" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "IncrediMail" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "The Bat!" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Pocomail" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Postbox" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file. 2/5 Data Collection Reads sensitive ftp data 5 - • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "CoreFTP" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "CoreFTP" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "FTP Navigator" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "FileZilla" by file. 2/5 Discovery Queries OS version via WMI 1 - • (Process #25) kvfwecxf.or3.exe queries OS version via WMI. 2/5 Discovery Executes WMI query 2 - • (Process #25) kvfwecxf.or3.exe executes WMI query: select * from Win32_OperatingSystem. • (Process #25) kvfwecxf.or3.exe executes WMI query: SELECT * FROM Win32_Processor. 2/5 Discovery Collects hardware properties 1 - • (Process #25) kvfwecxf.or3.exe queries hardware properties via WMI. 2/5 Anti Analysis Tries to detect virtual machine 1 - • Multiple processes are possibly trying to detect a VM via rdtsc. 2/5 Injection Writes into the memory of a process running from a created or modified executable 1 - • (Process #1) kvfwecxf.or3.exe modifies memory of (process #25) kvfwecxf.or3.exe. 2/5 Injection Modifies control flow of a process running from a created or modified executable 1 - • (Process #1) kvfwecxf.or3.exe alters context of (process #25) kvfwecxf.or3.exe. 1/5 Privilege Escalation Enables process privilege 4 - • (Process #1) kvfwecxf.or3.exe enables process privilege "SeDebugPrivilege". • (Process #2) advancedrun.exe enables process privilege "SeDebugPrivilege". • (Process #22) advancedrun.exe enables process privilege "SeDebugPrivilege". • (Process #25) kvfwecxf.or3.exe enables process privilege "SeDebugPrivilege". 1/5 Hide Tracks Creates process with hidden window 6 - • (Process #1) kvfwecxf.or3.exe starts (process #2) advancedrun.exe with a hidden window. • (Process #2) advancedrun.exe starts (process #21) sc.exe with a hidden window. • (Process #1) kvfwecxf.or3.exe starts (process #22) advancedrun.exe with a hidden window. • (Process #22) advancedrun.exe starts (process #23) powershell.exe with a hidden window. • (Process #1) kvfwecxf.or3.exe starts (process #25) kvfwecxf.or3.exe with a hidden window. • (Process #24) wscript.exe starts (process #24) wscript.exe with a hidden window. 1/5 Discovery Enumerates running processes 3 - X-Ray Vision for Malware - www.vmray.com 3 / 53 DYNAMIC ANALYSIS REPORT #1298037 • (Process #2) advancedrun.exe enumerates running processes. • (Process #22) advancedrun.exe enumerates running processes. • (Process #1) kvfwecxf.or3.exe enumerates running processes. 1/5 Mutex Creates mutex 1 - • (Process #1) kvfwecxf.or3.exe creates mutex with name "Ojimkn". 1/5 Obfuscation Reads from memory of another process 1 - • (Process #1) kvfwecxf.or3.exe reads from (process #25) kvfwecxf.or3.exe. 1/5 Obfuscation Creates a page with write and execute permissions 1 - • (Process #1) kvfwecxf.or3.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. 1/5 Discovery Possibly does reconnaissance 22 - • (Process #25) kvfwecxf.or3.exe tries to gather information about application "RealVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "TightVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "TigerVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Foxmail" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "blackHawk" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Opera Mail" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "SeaMonkey" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "WS_FTP" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "CoreFTP" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "icecat" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "FTP Navigator" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Mozilla Firefox" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "FileZilla" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Flock" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Qualcomm Eudora" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "k-Meleon" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "The Bat!" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "WinSCP" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application
Load more

Recommended publications
  • Cache Files Detect and Eliminate Privacy Threats
    Award-Winning Privacy Software for OS X Every time you surf the web or use your computer, bits of Recover Disk Space data containing sensitive information are left behind that Over time, the files generated by web browsers can start could compromise your privacy. PrivacyScan provides to take up a large amount of space on your hard drive, protection by scanning for these threats and offers negatively impacting your computer’s performance. multiple removal options to securely erase them from PrivacyScan can locate and removes these space hogs, your system. freeing up valuable disk space and giving your system a speed boost in the process. PrivacyScan can seek and destroy internet files used for tracking your online whereabouts, including browsing history, cache files, cookies, search history, and more. Secure File Shredding Additionally, PrivacyScan can eliminate Flash Cookies, PrivacyScan utilizes advanced secure delete algorithms which are normally hidden away on your system. that meet and exceed US Department of Defense recommendations to ensure complete removal of Privacy Threat: Cookies sensitive data. Cookies can be used to track your usage of websites, determining which pages you visited and the length Intuitive Interface of time you spent on each page. Advertisers can use PrivacyScan’s award-winning design makes it easy to cookies to track you across multiple sites, building up track down privacy threats that exist on your system and a “profile” of who you are based on your web browsing quickly eliminate them. An integrated setup assistant and habits. tip system provide help every step of the way to make file cleaning a breeze.
    [Show full text]
  • Tadiran-Coral-Voicemail-User-Guide-Steadfasttelecom.Com .Pdf
    Coral Message Center (CMC) User Guide Version 2.1 for Windows The flexible way to communicate . © 2002-2003 Active Voice LLC To access your mailbox from inside your organization All rights reserved. First edition 2003. 1. Call the voice messaging system. 1 for Yes, 2 for No, PhoneBASIC, Repartee, TeLANophy, 2. When the system greets you, enter: ViewCall, and ViewMail are trademarks of Active Voice, LLC. Personal ID ______________________________________________________ All other brands and product names used in this docu- ment are trademarks of their respective owners. Security code (if required) ___________________________________________ Licensed under one or more of the following patents: U.S. Nos. 4,994,926; 5,291,302; 5,459,584; 4,696,028; To access your mailbox by computer 4,809,321; 4,850,012; 4,922,526; 4,935,958; 4,955,047; 1. Launch Mailbox Manager. 4,972,469; 4,975,941; 5,020,095; 5,027,384; 5,029,196; 5,099,509; 5,109,405; 5,148,478; 5,166,974; 5,168,519; 2. When the system greets you, enter: 5,249,219; 5,303,298; 5,309,504; 5,347,574; 5,666,401; 5,181,243; 5,724,408; and Canadian No. 1329852. Host name_______________________________________________________ Extension _______________________________________________________ Security Code _____________________________________________________ For assistance, call: Name___________________________________________________________ Extension _______________________________________________________ Contents Introduction ii Changing your mailbox setup 21 Using quick message actions and shortcuts 47 Setting up your mailbox .......................................iv Working with the Mailbox Manager ....................22 Changing your security code..............................24 Quick message actions ...................................... 48 Checking and leaving messages 1 Changing your recorded and spelled names......25 Shortcuts...........................................................
    [Show full text]
  • Technician User Guide for Version 10.0
    Stellar Repair for Outlook - Technician User Guide for Version 10.0 Legal Notices | About Stellar | Contact Us 1. Overview Stellar Repair for Outlook - Technician offers a complete solution to repair damaged Microsoft Outlook Personal Storage (PST) files. The software repairs corrupt PST files and restores all its content such as e-mails, attachments, contacts, calendars, tasks, journals and also repair accidently deleted or lost Mailbox items . This minimizes the loss from the PST corruption. Stellar Repair for Outlook - Technician scans and extracts data from a damaged PST file, repairs it and then saves it as a new usable PST file. To view repaired items, you need to import the new PST file into MS Outlook. Stellar Repair for Outlook - Technician also ensures recovery of accidentally deleted e-mails that you have emptied from the deleted items folder. After recovering the PST file, the software shows its original content. All folders from the original PST file get displayed along with their content in a three-pane structure. Key features: New and enhanced GUI. Option to preview the deleted item which is displayed in red color. Option to save the deleted items in repaired file. Option to save and load scan information. Option to save in DBX and MBOX format. Option to compact and save a PST file. Option to save in Office 365. Option to split and save a PST file. Enables you to view messages in a 3-view format. Enables selective recovery of the mails. Find option to search emails faster. Repairs e-mails, calendar entries, contacts, notes, tasks and journals from damaged PST files.
    [Show full text]
  • HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014
    HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S.
    [Show full text]
  • THE POWER of CLOUD COMPUTING COMES to SMARTPHONES Neeraj B
    THE POWER OF CLOUD COMPUTING COMES TO SMARTPHONES Neeraj B. Bharwani B.E. Student (Information Science and Engineering) SJB Institute of Technology, Bangalore 60 Table of Contents Introduction ............................................................................................................................................3 Need for Clone Cloud ............................................................................................................................4 Augmented Execution ............................................................................................................................5 Primary functionality outsourcing ........................................................................................................5 Background augmentation..................................................................................................................5 Mainline augmentation .......................................................................................................................5 Hardware augmentation .....................................................................................................................6 Augmentation through multiplicity .......................................................................................................6 Architecture ...........................................................................................................................................7 Snow Flock: Rapid Virtual Machine Cloning for Cloud Computing ........................................................
    [Show full text]
  • Spear Phishing Targeting Ics Supply Chain – Analysis
    SPEAR PHISHING TARGETING ICS SUPPLY CHAIN – ANALYSIS January 20, 2021 MARKEL PICADO 1 Table of Contents Introduction ................................................................................................................................................... 3 Threat Analysis ............................................................................................................................................... 3 Distribution Strategy .................................................................................................................................. 4 Spear Phishing............................................................................................................................................ 5 Identity Theft ......................................................................................................................................... 5 Toolkit .................................................................................................................................................... 8 AgentTesla v3 Analysis ........................................................................................................................... 9 Attack Surface .......................................................................................................................................... 16 MITRE ATT&CK Mapping ..................................................................................................................... 17 Threat Actor Infrastructure ................................................................................................................
    [Show full text]
  • Resolving Issues with Forms
    C1261587x.fm Page 265 Thursday, November 15, 2001 3:51 PM Resolving Issues with Forms In 1988, Alan Cooper demonstrated a prototype called Ruby to Bill Gates. Ruby provided a form designer that allowed you to drag and drop controls, then known as gizmos, to quickly and easily create composite forms—such as dialog boxes, entry forms, and report forms. Microsoft took Cooper’s Ruby product and combined it with Basic to create Microsoft Visual Basic 1. Microsoft has since shipped a version of Ruby with every version of Visual Basic, versions 1 through 6. With every version, that is, until Visual Basic .NET. Visual Basic .NET provides a new forms package called Windows Forms. Although the Windows Forms package was designed using the same basic prin- ciple as Ruby—it is a form designer that allows you to drag and drop controls and set properties—it was never meant to be an extension of, nor to be com- patible with, Ruby. Therefore, there are fundamental differences between the two forms packages that affect the way you create Visual Basic applications. This chapter focuses on some of the fundamental differences between the Ruby and Windows Forms packages. Specifically, it discusses issues that the Upgrade Wizard does not handle for you. Before we get into the differences, however, let’s look at what Windows Forms and Ruby have in common. Similarities in Form Structure When you create a new project in Visual Basic .NET, you will find yourself at home in the environment. The way you create and design forms is the same in Visual Basic .NET as it is in Visual Basic 6.
    [Show full text]
  • Downloadable Email Program for My Pc 32 Best Free Email Clients
    downloadable email program for my pc 32 Best Free Email Clients. Here are 32 best free email client software . These let you manage and access all of your email accounts in one single place easily. All these email client software are completely free and can be downloaded to Windows PC. These free software offer various features, like: can be used with IMAP, SMTP, POP3 and Gmail, keeps your emails safe and secure, lets you open various emails simultaneously, provide protection from spam, lets you view your emails offline, manage and access all of your email accounts in one single place, supports PH, LDAP, IMAP4, POP3 and SMPT mail protocols etc. So, go through this list of free email client software and see which ones you like the most. Thunderbird. Thunderbird is a free and handy email client software for your computer. It can be used with IMAP, SMTP, POP3 and Gmail. It will also work with email accounts provided by MS Exchange Server. The user interface of Thunderbird is tabbed. It lets you open various emails simultaneously. Thunderbird keeps your emails safe and secure. It also has special filters for filtering the mail. Windows Live Mail. Windows Live Mail is a free email client for your computer. It works with various email accounts. It lets you access Yahoo, Gmail, Hotmail and emails from different servers which supports POP3 and SMTP. Its security features are excellent it will also provide protection from spam. You can also view your emails offline in this freeware. Zimbra Desktop. Zimbra Desktop is a free email client.
    [Show full text]
  • Web Browser a C-Class Article from Wikipedia, the Free Encyclopedia
    Web browser A C-class article from Wikipedia, the free encyclopedia A web browser or Internet browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI) and may be a web page, image, video, or other piece of content.[1] Hyperlinks present in resources enable users to easily navigate their browsers to related resources. Although browsers are primarily intended to access the World Wide Web, they can also be used to access information provided by Web servers in private networks or files in file systems. Some browsers can also be used to save information resources to file systems. Contents 1 History 2 Function 3 Features 3.1 User interface 3.2 Privacy and security 3.3 Standards support 4 See also 5 References 6 External links History Main article: History of the web browser The history of the Web browser dates back in to the late 1980s, when a variety of technologies laid the foundation for the first Web browser, WorldWideWeb, by Tim Berners-Lee in 1991. That browser brought together a variety of existing and new software and hardware technologies. Ted Nelson and Douglas Engelbart developed the concept of hypertext long before Berners-Lee and CERN. It became the core of the World Wide Web. Berners-Lee does acknowledge Engelbart's contribution. The introduction of the NCSA Mosaic Web browser in 1993 – one of the first graphical Web browsers – led to an explosion in Web use. Marc Andreessen, the leader of the Mosaic team at NCSA, soon started his own company, named Netscape, and released the Mosaic-influenced Netscape Navigator in 1994, which quickly became the world's most popular browser, accounting for 90% of all Web use at its peak (see usage share of web browsers).
    [Show full text]
  • VI. Lotus Domino
    Le groupware - 1 / 60 - Sommaire I. Introduction ................................................................................................ 2 A. Histoire (Source : Michel Alberganti) ................................................................................ 2 B. Définition................................................................................................................... 2 C. L'offre....................................................................................................................... 2 1. Intranet / Internet................................................................................................. 2 2. Messagerie........................................................................................................... 3 II. Les clients de messagerie ............................................................................... 3 A. Windows Messaging : Msmail........................................................................................... 4 1. Installer et administrer un bureau de poste .................................................................. 4 2. Propriétés du client MAPI......................................................................................... 7 B. Utiliser Outlook ......................................................................................................... 15 1. Les options .........................................................................................................15 2. Envoi de messages ................................................................................................20
    [Show full text]
  • Borderlands 2 Hallowed Hollow Trick Or Treat
    borderlands 2 hallowed hollow trick or treat ). HTML Enforcer is a batch tool that will help you to quickly modify all web pages in a site with just a single click. It's a tool which help you to create your favorite macromedia flash file to be your wallpaper, also it can help you pubilish it just by click a button. borderlands 2 hallowed hollow trick or treat We support the latest versions of all of the following programs: Microsoft Outlook, Outlook Express, Eudora, Pegasus Mail, TheBat, PocoMail, Netscape, Becky and AOL E-mail. Number of files stored on an average home PC often exceeds 100,000. CoinManage includes an integrated Report Designer and the best eBay coin search you will find. Simplified Translation Tools. borderlands 2 hallowed hollow trick or treat. borderlands 2 hallowed hollow trick or treat Read The publisher description in: French, German, Italian, Spanish. The ;Hardware and Software Master; compiles an accurate inventory of all hardware and software used across your enterprise. More than 500 applications and file formats are natively supported. 3D Darts Professional is a realistic dart simulation game for Windows. To make the Excel Function Editor more user friendly, each function parameter now has a description associated with it. Now referenced document/URL have marked by special style. No useless html password protection (so no need to password protect html) or insecure javascript. No matter how many students or test subjects you have, the client-server edition of the Adit Testdesk suite will fully replace paper-based tests with fully automated, computer-graded exams.
    [Show full text]
  • Download PDF Report
    DYNAMIC ANALYSIS REPORT #1337459 Classifications: Exploit Downloader Spyware MALICIOUS Threat Names: Exploit.CVE-2018-0802.Gen Verdict Reason: - Sample Type Excel Document Sample Name homefarmanteroom9b56459b5645b0f5e2fbbb8ec8c45c1a4e82922f73a7b6c28dbc6c5f397ad9bda83f77.xls ID #471135 MD5 596b83a169467280b5e047f498eeaa33 SHA1 4d36aad5a72e14082ec57274921f503a9ae29aa1 SHA256 9b5645b0f5e2fbbb8ec8c45c1a4e82922f73a7b6c28dbc6c5f397ad9bda83f77 File Size 37.63 KB Report Created 2021-05-07 20:08 (UTC+2) Target Environment win7_64_sp1_en_mso2016 | ms_office X-Ray Vision for Malware - www.vmray.com 1 / 30 DYNAMIC ANALYSIS REPORT #1337459 OVERVIEW VMRay Threat Identifiers (24 rules, 73 matches) Score Category Operation Count Classification 5/5 Injection Writes into the memory of a process running from a created or modified executable 1 - • (Process #3) doqqx.exe modifies memory of (process #8) doqqx.exe. 5/5 Injection Modifies control flow of a process running from a created or modified executable 1 - • (Process #3) doqqx.exe alters context of (process #8) doqqx.exe. 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Opera, WinSCP, TightVNC, Cyberfox, Flock, Ipswitch WS_FTP, OpenVPN, TigerVNC, FTP Navigator, Microsoft Outlook, Pocomail, FileZilla, k- Meleon, SeaMonkey, BlackHawk, Opera Mail, Mozilla Thunderbird, IncrediMail, CoreFTP, Internet Download Manager, Postbox, The Bat!, Internet Explorer / Edge, Comodo IceDragon, Internet Explorer, Mozilla Firefox. 4/5 Execution Document tries to create process 3 - • Document creates (process #2) eqnedt32.exe. • Document creates (process #6) doqqx.exe. • Document creates (process #8) doqqx.exe. 4/5 Obfuscation Reads from memory of another process 2 - • (Process #3) doqqx.exe reads from (process #6) doqqx.exe. • (Process #3) doqqx.exe reads from (process #8) doqqx.exe. 4/5 Discovery Queries OS version via WMI 1 - • (Process #8) doqqx.exe queries OS version via WMI.
    [Show full text]